A Visual Tour of PLONK
Suyash Bagad
Equations to Arithmetic Circuits
x^3 - 23x^2 + 142x = 120
Equation
I claim that I know the solutions and they are
How do I prove that I know the solutions without revealing them? A zero-knowledge proof!
x = 1, 10, 12
Translate the equation to a circuit
Equations to Arithmetic Circuits
x^3 - 23x^2 + 142x = 120
\(x\)
\(\ast\)
\(\ast\)
\(-23\)
\(\ast\)
\(\ast\)
\(142\)
\(+\)
\(+\)
\(120\)
\(0\)
\(1\)
\(2\)
\(3\)
\(4\)
\(5\)
\(6\)
\(7\)
\(8\)
\(9\)
\(a_2\)
\(a_1\)
\(a_0\)
\(c_3\)
\(c_5\)
\(c_4\)
\(c_6\)
\(c_7\)
\(c_8\)
\(a_9\)
\(a_3\)
\(a_5\)
\(a_4\)
\(a_6\)
\(a_7\)
\(a_8\)
\(b_8\)
\(b_7\)
\(b_4\)
\(b_6\)
\(b_5\)
\(b_3\)
Equations to Arithmetic Circuits
\(x\)
\(\ast\)
\(\ast\)
\(-23\)
\(\ast\)
\(\ast\)
\(142\)
\(+\)
\(+\)
\(120\)
\(0\)
\(1\)
\(2\)
\(3\)
\(4\)
\(5\)
\(6\)
\(7\)
\(8\)
\(9\)
\(a_2\)
\(a_1\)
\(a_0\)
\(c_3\)
\(c_5\)
\(c_4\)
\(c_6\)
\(c_7\)
\(c_8\)
\(a_9\)
\(a_3\)
\(a_5\)
\(a_4\)
\(a_6\)
\(a_7\)
\(a_8\)
\(b_8\)
\(b_7\)
\(b_4\)
\(b_6\)
\(b_5\)
\(b_3\)
For \(i\)-th gate where \(i \in \{0, 1, \dots, 9\}\), we can write
\left(Q_{L_{i}}\right) a_{i}+\left(Q_{R_{i}}\right) b_{i}+\left(Q_{O_{i}}\right) c_{i}+\left(Q_{M_{i}}\right) a_{i} b_{i}+Q_{C_{i}}=0
Equations to Arithmetic Circuits
\(x\)
\(\ast\)
\(\ast\)
\(-23\)
\(\ast\)
\(\ast\)
\(142\)
\(+\)
\(+\)
\(120\)
\(0\)
\(1\)
\(2\)
\(3\)
\(4\)
\(5\)
\(6\)
\(7\)
\(8\)
\(9\)
\(a_2\)
\(a_1\)
\(a_0\)
\(c_3\)
\(c_5\)
\(c_4\)
\(c_6\)
\(c_7\)
\(c_8\)
\(a_9\)
\(a_3\)
\(a_5\)
\(a_4\)
\(a_6\)
\(a_7\)
\(a_8\)
\(b_8\)
\(b_7\)
\(b_4\)
\(b_6\)
\(b_5\)
\(b_3\)
A constant-gate for \(i = 0,\) set \(Q_{L_i} = 1, \ Q_{C_i} = -142\)
1 \cdot a_0 + 0 \cdot b_0 + 0 \cdot c_0 + 0\cdot a_0 b_0 + (-142) = 0
Equations to Arithmetic Circuits
\(x\)
\(\ast\)
\(\ast\)
\(-23\)
\(\ast\)
\(\ast\)
\(142\)
\(+\)
\(+\)
\(120\)
\(0\)
\(1\)
\(2\)
\(3\)
\(4\)
\(5\)
\(6\)
\(7\)
\(8\)
\(9\)
\(a_2\)
\(a_1\)
\(a_0\)
\(c_3\)
\(c_5\)
\(c_4\)
\(c_6\)
\(c_7\)
\(c_8\)
\(a_9\)
\(a_3\)
\(a_5\)
\(a_4\)
\(a_6\)
\(a_7\)
\(a_8\)
\(b_8\)
\(b_7\)
\(b_4\)
\(b_6\)
\(b_5\)
\(b_3\)
A multiplication-gate for \(i =5,\) set \(Q_{O_i} = -1, \ Q_{M_i} = 1\)
0 \cdot a_5 + 0 \cdot b_5 + (-1) \cdot c_5 + 1 \cdot a_5 b_5 + 0 = 0
Equations to Arithmetic Circuits
\(x\)
\(\ast\)
\(\ast\)
\(-23\)
\(\ast\)
\(\ast\)
\(142\)
\(+\)
\(+\)
\(120\)
\(0\)
\(1\)
\(2\)
\(3\)
\(4\)
\(5\)
\(6\)
\(7\)
\(8\)
\(9\)
\(a_2\)
\(a_1\)
\(a_0\)
\(c_3\)
\(c_5\)
\(c_4\)
\(c_6\)
\(c_7\)
\(c_8\)
\(a_9\)
\(a_3\)
\(a_5\)
\(a_4\)
\(a_6\)
\(a_7\)
\(a_8\)
\(b_8\)
\(b_7\)
\(b_4\)
\(b_6\)
\(b_5\)
\(b_3\)
An addition-gate for \(i = 8\)
1 \cdot a_8 + 1 \cdot b_8 + (-1) \cdot c_8 + 0 \cdot a_8 b_8 + 0 = 0
Towards Polynomials
\def\arraystretch{1.1}
\begin{array}{cccccccc}
1\cdot a_0 &+& 0\cdot b_0 &+& 0\cdot c_0 &+& 0\cdot a_0b_0 &+& (-142) &=& 0 \\
1\cdot a_1 &+& 0\cdot b_1 &+& 0\cdot c_1 &+& 0\cdot a_1b_1 &+& (-x) &=& 0 \\
1\cdot a_2 &+& 0\cdot b_2 &+& 0\cdot c_2 &+& 0\cdot a_2b_2 &+& 23 &=& 0 \\
0\cdot a_3 &+& 0\cdot b_3 &+& (-1)\cdot c_3 &+& 1\cdot a_3b_3 &+& 0 &=& 0 \\
0\cdot a_4 &+& 0\cdot b_4 &+& (-1)\cdot c_4 &+& 1\cdot a_4b_4 &+& 0 &=& 0 \\
0\cdot a_5 &+& 0\cdot b_5 &+& (-1)\cdot c_5 &+& 1\cdot a_5b_5 &+& 0 &=& 0 \\
0\cdot a_6 &+& 0\cdot b_6 &+& (-1)\cdot c_6 &+& 1\cdot a_6b_6 &+& 0 &=& 0 \\
1\cdot a_7 &+& 1\cdot b_7 &+& (-1)\cdot c_7 &+& 0\cdot a_7b_7 &+& 0 &=& 0 \\
1\cdot a_8 &+& 1\cdot b_8 &+& (-1)\cdot c_8 &+& 0\cdot a_8b_8 &+& 0 &=& 0 \\
1\cdot a_9 &+& 0\cdot b_9 &+& 0\cdot c_9 &+& 0\cdot a_9b_9 &+& (-120) &=& 0 \\
\end{array}
\(Q_L\)
Towards Polynomials
\def\arraystretch{1.1}
\begin{array}{cccccccc}
1\cdot a_0 &+& 0\cdot b_0 &+& 0\cdot c_0 &+& 0\cdot a_0b_0 &+& (-142) &=& 0 \\
1\cdot a_1 &+& 0\cdot b_1 &+& 0\cdot c_1 &+& 0\cdot a_1b_1 &+& (-x) &=& 0 \\
1\cdot a_2 &+& 0\cdot b_2 &+& 0\cdot c_2 &+& 0\cdot a_2b_2 &+& 23 &=& 0 \\
0\cdot a_3 &+& 0\cdot b_3 &+& (-1)\cdot c_3 &+& 1\cdot a_3b_3 &+& 0 &=& 0 \\
0\cdot a_4 &+& 0\cdot b_4 &+& (-1)\cdot c_4 &+& 1\cdot a_4b_4 &+& 0 &=& 0 \\
0\cdot a_5 &+& 0\cdot b_5 &+& (-1)\cdot c_5 &+& 1\cdot a_5b_5 &+& 0 &=& 0 \\
0\cdot a_6 &+& 0\cdot b_6 &+& (-1)\cdot c_6 &+& 1\cdot a_6b_6 &+& 0 &=& 0 \\
1\cdot a_7 &+& 1\cdot b_7 &+& (-1)\cdot c_7 &+& 0\cdot a_7b_7 &+& 0 &=& 0 \\
1\cdot a_8 &+& 1\cdot b_8 &+& (-1)\cdot c_8 &+& 0\cdot a_8b_8 &+& 0 &=& 0 \\
1\cdot a_9 &+& 0\cdot b_9 &+& 0\cdot c_9 &+& 0\cdot a_9b_9 &+& (-120) &=& 0 \\
\end{array}
\(Q_L\)
\(\cdot \ a\)
Towards Polynomials
\def\arraystretch{1.1}
\begin{array}{cccccccc}
1\cdot a_0 &+& 0\cdot b_0 &+& 0\cdot c_0 &+& 0\cdot a_0b_0 &+& (-142) &=& 0 \\
1\cdot a_1 &+& 0\cdot b_1 &+& 0\cdot c_1 &+& 0\cdot a_1b_1 &+& (-x) &=& 0 \\
1\cdot a_2 &+& 0\cdot b_2 &+& 0\cdot c_2 &+& 0\cdot a_2b_2 &+& 23 &=& 0 \\
0\cdot a_3 &+& 0\cdot b_3 &+& (-1)\cdot c_3 &+& 1\cdot a_3b_3 &+& 0 &=& 0 \\
0\cdot a_4 &+& 0\cdot b_4 &+& (-1)\cdot c_4 &+& 1\cdot a_4b_4 &+& 0 &=& 0 \\
0\cdot a_5 &+& 0\cdot b_5 &+& (-1)\cdot c_5 &+& 1\cdot a_5b_5 &+& 0 &=& 0 \\
0\cdot a_6 &+& 0\cdot b_6 &+& (-1)\cdot c_6 &+& 1\cdot a_6b_6 &+& 0 &=& 0 \\
1\cdot a_7 &+& 1\cdot b_7 &+& (-1)\cdot c_7 &+& 0\cdot a_7b_7 &+& 0 &=& 0 \\
1\cdot a_8 &+& 1\cdot b_8 &+& (-1)\cdot c_8 &+& 0\cdot a_8b_8 &+& 0 &=& 0 \\
1\cdot a_9 &+& 0\cdot b_9 &+& 0\cdot c_9 &+& 0\cdot a_9b_9 &+& (-120) &=& 0 \\
\end{array}
\(Q_L\)
\(\cdot \ a\)
\(Q_R\)
Towards Polynomials
\def\arraystretch{1.1}
\begin{array}{cccccccc}
1\cdot a_0 &+& 0\cdot b_0 &+& 0\cdot c_0 &+& 0\cdot a_0b_0 &+& (-142) &=& 0 \\
1\cdot a_1 &+& 0\cdot b_1 &+& 0\cdot c_1 &+& 0\cdot a_1b_1 &+& (-x) &=& 0 \\
1\cdot a_2 &+& 0\cdot b_2 &+& 0\cdot c_2 &+& 0\cdot a_2b_2 &+& 23 &=& 0 \\
0\cdot a_3 &+& 0\cdot b_3 &+& (-1)\cdot c_3 &+& 1\cdot a_3b_3 &+& 0 &=& 0 \\
0\cdot a_4 &+& 0\cdot b_4 &+& (-1)\cdot c_4 &+& 1\cdot a_4b_4 &+& 0 &=& 0 \\
0\cdot a_5 &+& 0\cdot b_5 &+& (-1)\cdot c_5 &+& 1\cdot a_5b_5 &+& 0 &=& 0 \\
0\cdot a_6 &+& 0\cdot b_6 &+& (-1)\cdot c_6 &+& 1\cdot a_6b_6 &+& 0 &=& 0 \\
1\cdot a_7 &+& 1\cdot b_7 &+& (-1)\cdot c_7 &+& 0\cdot a_7b_7 &+& 0 &=& 0 \\
1\cdot a_8 &+& 1\cdot b_8 &+& (-1)\cdot c_8 &+& 0\cdot a_8b_8 &+& 0 &=& 0 \\
1\cdot a_9 &+& 0\cdot b_9 &+& 0\cdot c_9 &+& 0\cdot a_9b_9 &+& (-120) &=& 0 \\
\end{array}
\(Q_L\)
\(\cdot \ a\)
\(Q_R\)
\(\cdot \ b\)
Towards Polynomials
\def\arraystretch{1.1}
\begin{array}{cccccccc}
1\cdot a_0 &+& 0\cdot b_0 &+& 0\cdot c_0 &+& 0\cdot a_0b_0 &+& (-142) &=& 0 \\
1\cdot a_1 &+& 0\cdot b_1 &+& 0\cdot c_1 &+& 0\cdot a_1b_1 &+& (-x) &=& 0 \\
1\cdot a_2 &+& 0\cdot b_2 &+& 0\cdot c_2 &+& 0\cdot a_2b_2 &+& 23 &=& 0 \\
0\cdot a_3 &+& 0\cdot b_3 &+& (-1)\cdot c_3 &+& 1\cdot a_3b_3 &+& 0 &=& 0 \\
0\cdot a_4 &+& 0\cdot b_4 &+& (-1)\cdot c_4 &+& 1\cdot a_4b_4 &+& 0 &=& 0 \\
0\cdot a_5 &+& 0\cdot b_5 &+& (-1)\cdot c_5 &+& 1\cdot a_5b_5 &+& 0 &=& 0 \\
0\cdot a_6 &+& 0\cdot b_6 &+& (-1)\cdot c_6 &+& 1\cdot a_6b_6 &+& 0 &=& 0 \\
1\cdot a_7 &+& 1\cdot b_7 &+& (-1)\cdot c_7 &+& 0\cdot a_7b_7 &+& 0 &=& 0 \\
1\cdot a_8 &+& 1\cdot b_8 &+& (-1)\cdot c_8 &+& 0\cdot a_8b_8 &+& 0 &=& 0 \\
1\cdot a_9 &+& 0\cdot b_9 &+& 0\cdot c_9 &+& 0\cdot a_9b_9 &+& (-120) &=& 0 \\
\end{array}
\(Q_L\)
\(\cdot \ a\)
\(Q_R\)
\(\cdot \ b\)
\(Q_O\)
\(\cdot \ c\)
Towards Polynomials
\def\arraystretch{1.1}
\begin{array}{cccccccc}
1\cdot a_0 &+& 0\cdot b_0 &+& 0\cdot c_0 &+& 0\cdot a_0b_0 &+& (-142) &=& 0 \\
1\cdot a_1 &+& 0\cdot b_1 &+& 0\cdot c_1 &+& 0\cdot a_1b_1 &+& (-x) &=& 0 \\
1\cdot a_2 &+& 0\cdot b_2 &+& 0\cdot c_2 &+& 0\cdot a_2b_2 &+& 23 &=& 0 \\
0\cdot a_3 &+& 0\cdot b_3 &+& (-1)\cdot c_3 &+& 1\cdot a_3b_3 &+& 0 &=& 0 \\
0\cdot a_4 &+& 0\cdot b_4 &+& (-1)\cdot c_4 &+& 1\cdot a_4b_4 &+& 0 &=& 0 \\
0\cdot a_5 &+& 0\cdot b_5 &+& (-1)\cdot c_5 &+& 1\cdot a_5b_5 &+& 0 &=& 0 \\
0\cdot a_6 &+& 0\cdot b_6 &+& (-1)\cdot c_6 &+& 1\cdot a_6b_6 &+& 0 &=& 0 \\
1\cdot a_7 &+& 1\cdot b_7 &+& (-1)\cdot c_7 &+& 0\cdot a_7b_7 &+& 0 &=& 0 \\
1\cdot a_8 &+& 1\cdot b_8 &+& (-1)\cdot c_8 &+& 0\cdot a_8b_8 &+& 0 &=& 0 \\
1\cdot a_9 &+& 0\cdot b_9 &+& 0\cdot c_9 &+& 0\cdot a_9b_9 &+& (-120) &=& 0 \\
\end{array}
\(Q_L\)
\(\cdot \ a\)
\(Q_R\)
\(\cdot \ b\)
\(Q_O\)
\(\cdot \ c\)
\(Q_M \cdot ab\)
Towards Polynomials
\def\arraystretch{1.1}
\begin{array}{cccccccc}
1\cdot a_0 &+& 0\cdot b_0 &+& 0\cdot c_0 &+& 0\cdot a_0b_0 &+& (-142) &=& 0 \\
1\cdot a_1 &+& 0\cdot b_1 &+& 0\cdot c_1 &+& 0\cdot a_1b_1 &+& (-x) &=& 0 \\
1\cdot a_2 &+& 0\cdot b_2 &+& 0\cdot c_2 &+& 0\cdot a_2b_2 &+& 23 &=& 0 \\
0\cdot a_3 &+& 0\cdot b_3 &+& (-1)\cdot c_3 &+& 1\cdot a_3b_3 &+& 0 &=& 0 \\
0\cdot a_4 &+& 0\cdot b_4 &+& (-1)\cdot c_4 &+& 1\cdot a_4b_4 &+& 0 &=& 0 \\
0\cdot a_5 &+& 0\cdot b_5 &+& (-1)\cdot c_5 &+& 1\cdot a_5b_5 &+& 0 &=& 0 \\
0\cdot a_6 &+& 0\cdot b_6 &+& (-1)\cdot c_6 &+& 1\cdot a_6b_6 &+& 0 &=& 0 \\
1\cdot a_7 &+& 1\cdot b_7 &+& (-1)\cdot c_7 &+& 0\cdot a_7b_7 &+& 0 &=& 0 \\
1\cdot a_8 &+& 1\cdot b_8 &+& (-1)\cdot c_8 &+& 0\cdot a_8b_8 &+& 0 &=& 0 \\
1\cdot a_9 &+& 0\cdot b_9 &+& 0\cdot c_9 &+& 0\cdot a_9b_9 &+& (-120) &=& 0 \\
\end{array}
\(Q_L\)
\(\cdot \ a\)
\(Q_R\)
\(\cdot \ b\)
\(Q_O\)
\(\cdot \ c\)
\(Q_M \cdot ab\)
\(Q_C\)
\(+\)
\(+\)
\(+\)
\(+\)
\(=\)
\(0\)
Towards Polynomials
\def\arraystretch{1.1}
\begin{array}{cccccccc}
1\cdot a_0 &+& 0\cdot b_0 &+& 0\cdot c_0 &+& 0\cdot a_0b_0 &+& (-142) &=& 0 \\
1\cdot a_1 &+& 0\cdot b_1 &+& 0\cdot c_1 &+& 0\cdot a_1b_1 &+& (-x) &=& 0 \\
1\cdot a_2 &+& 0\cdot b_2 &+& 0\cdot c_2 &+& 0\cdot a_2b_2 &+& 23 &=& 0 \\
0\cdot a_3 &+& 0\cdot b_3 &+& (-1)\cdot c_3 &+& 1\cdot a_3b_3 &+& 0 &=& 0 \\
0\cdot a_4 &+& 0\cdot b_4 &+& (-1)\cdot c_4 &+& 1\cdot a_4b_4 &+& 0 &=& 0 \\
0\cdot a_5 &+& 0\cdot b_5 &+& (-1)\cdot c_5 &+& 1\cdot a_5b_5 &+& 0 &=& 0 \\
0\cdot a_6 &+& 0\cdot b_6 &+& (-1)\cdot c_6 &+& 1\cdot a_6b_6 &+& 0 &=& 0 \\
1\cdot a_7 &+& 1\cdot b_7 &+& (-1)\cdot c_7 &+& 0\cdot a_7b_7 &+& 0 &=& 0 \\
1\cdot a_8 &+& 1\cdot b_8 &+& (-1)\cdot c_8 &+& 0\cdot a_8b_8 &+& 0 &=& 0 \\
1\cdot a_9 &+& 0\cdot b_9 &+& 0\cdot c_9 &+& 0\cdot a_9b_9 &+& (-120) &=& 0 \\
\end{array}
\(Q_L\)
\(\cdot \ a\)
\(Q_R\)
\(\cdot \ b\)
\(Q_O\)
\(\cdot \ c\)
\(Q_M \cdot ab\)
\(Q_C\)
\(+\)
\(+\)
\(+\)
\(+\)
\(=\)
\(0\)
Selector polynomials
Wire polynomials
Polynomial Representation
\(Q_C(X)\)
\begin{array}{lr}
(1, & \hspace{-3mm} -142) \\
(\omega, & \hspace{-3mm} -10) \\
(\omega^2, & \hspace{-3mm} 23) \\
(\omega^3, & \hspace{-3mm} 0) \\
(\omega^4, & \hspace{-3mm} 0) \\
(\omega^5, & \hspace{-3mm} 0) \\
(\omega^6, & \hspace{-3mm} 0) \\
(\omega^7, & \hspace{-3mm} 0) \\
(\omega^8, & \hspace{-3mm} 0) \\
(\omega^9, & \hspace{-3mm} 120) \\
\end{array}
Proof of Knowledge
Coke from Bottle
Coke from Can
Victor
Peter
\(x\)
\(V\)
\(P\)
Coke from Can
Victor
Peter
Guess?
Bottle!
\langle P, V \rangle (x) = \begin{cases}
1 & \text{if } V \text{ accepts} \\
0 & \text{if } V \text{ rejects}
\end{cases}
Proof of Knowledge
Coke from Bottle
Coke from Can
Victor
Peter
Try again!
Proof of Knowledge
Coke from Bottle
Victor
Peter
Can!
If \(P\) actually knows the taste, \( \Pr[ \langle P,V \rangle(x) = 1 ]\) = 1
If \(P\)'s claim is wrong, \( \Pr[ \langle P,V \rangle(x) = 1 ] = \left(\frac{1}{2}\right)^2 \)
\(\implies\) Completeness!
\(\implies\) Soundness!
Proof of Knowledge
Zero Knowledge Proofs
Zero Knowledge Proofs
Reveal!
Zero Knowledge Proofs
Zero Knowledge Proofs
Zero Knowledge Proofs
Zero Knowledge Proofs
Reveal!
Zero Knowledge Proofs
Zero Knowledge Proofs
On repeating the experiment a number of times,
- If the prover is honest, verifier accepts!
- If the prover is cheating, verifier will catch it!
- No information about 3-colouring is revealed!
\(\text{Completeness,}\)
\(\text{Soundness,}\)
\(\text{Zero-Knowledge!}\)
Promise of ZKPs
A Visual Tour of PLONK
By Suyash Bagad
A Visual Tour of PLONK
A deep dive in understanding PLONK through an example - the state-of-the-art zkSNARK proof system by Aztec Protocol.
