A Visual Tour of PLONK

Suyash Bagad

Equations to Arithmetic Circuits

x^3 - 23x^2 + 142x = 120

Equation

I claim that I know the solutions and they are

How do I prove that I know the solutions without revealing them? A zero-knowledge proof!

x = 1, 10, 12

Translate the equation to a circuit

Equations to Arithmetic Circuits

x^3 - 23x^2 + 142x = 120

\(x\)

\(\ast\)

\(\ast\)

\(-23\)

\(\ast\)

\(\ast\)

\(142\)

\(+\)

\(+\)

\(120\)

\(0\)

\(1\)

\(2\)

\(3\)

\(4\)

\(5\)

\(6\)

\(7\)

\(8\)

\(9\)

\(a_2\)

\(a_1\)

\(a_0\)

\(c_3\)

\(c_5\)

\(c_4\)

\(c_6\)

\(c_7\)

\(c_8\)

\(a_9\)

\(a_3\)

\(a_5\)

\(a_4\)

\(a_6\)

\(a_7\)

\(a_8\)

\(b_8\)

\(b_7\)

\(b_4\)

\(b_6\)

\(b_5\)

\(b_3\)

Equations to Arithmetic Circuits

\(x\)

\(\ast\)

\(\ast\)

\(-23\)

\(\ast\)

\(\ast\)

\(142\)

\(+\)

\(+\)

\(120\)

\(0\)

\(1\)

\(2\)

\(3\)

\(4\)

\(5\)

\(6\)

\(7\)

\(8\)

\(9\)

\(a_2\)

\(a_1\)

\(a_0\)

\(c_3\)

\(c_5\)

\(c_4\)

\(c_6\)

\(c_7\)

\(c_8\)

\(a_9\)

\(a_3\)

\(a_5\)

\(a_4\)

\(a_6\)

\(a_7\)

\(a_8\)

\(b_8\)

\(b_7\)

\(b_4\)

\(b_6\)

\(b_5\)

\(b_3\)

For \(i\)-th gate where \(i \in \{0, 1, \dots, 9\}\), we can write

\left(Q_{L_{i}}\right) a_{i}+\left(Q_{R_{i}}\right) b_{i}+\left(Q_{O_{i}}\right) c_{i}+\left(Q_{M_{i}}\right) a_{i} b_{i}+Q_{C_{i}}=0

Equations to Arithmetic Circuits

\(x\)

\(\ast\)

\(\ast\)

\(-23\)

\(\ast\)

\(\ast\)

\(142\)

\(+\)

\(+\)

\(120\)

\(0\)

\(1\)

\(2\)

\(3\)

\(4\)

\(5\)

\(6\)

\(7\)

\(8\)

\(9\)

\(a_2\)

\(a_1\)

\(a_0\)

\(c_3\)

\(c_5\)

\(c_4\)

\(c_6\)

\(c_7\)

\(c_8\)

\(a_9\)

\(a_3\)

\(a_5\)

\(a_4\)

\(a_6\)

\(a_7\)

\(a_8\)

\(b_8\)

\(b_7\)

\(b_4\)

\(b_6\)

\(b_5\)

\(b_3\)

A constant-gate for \(i = 0,\) set \(Q_{L_i} = 1, \ Q_{C_i} = -142\)

1 \cdot a_0 + 0 \cdot b_0 + 0 \cdot c_0 + 0\cdot a_0 b_0 + (-142) = 0

Equations to Arithmetic Circuits

\(x\)

\(\ast\)

\(\ast\)

\(-23\)

\(\ast\)

\(\ast\)

\(142\)

\(+\)

\(+\)

\(120\)

\(0\)

\(1\)

\(2\)

\(3\)

\(4\)

\(5\)

\(6\)

\(7\)

\(8\)

\(9\)

\(a_2\)

\(a_1\)

\(a_0\)

\(c_3\)

\(c_5\)

\(c_4\)

\(c_6\)

\(c_7\)

\(c_8\)

\(a_9\)

\(a_3\)

\(a_5\)

\(a_4\)

\(a_6\)

\(a_7\)

\(a_8\)

\(b_8\)

\(b_7\)

\(b_4\)

\(b_6\)

\(b_5\)

\(b_3\)

A multiplication-gate for \(i =5,\) set \(Q_{O_i} = -1, \ Q_{M_i} = 1\)

0 \cdot a_5 + 0 \cdot b_5 + (-1) \cdot c_5 + 1 \cdot a_5 b_5 + 0 = 0

Equations to Arithmetic Circuits

\(x\)

\(\ast\)

\(\ast\)

\(-23\)

\(\ast\)

\(\ast\)

\(142\)

\(+\)

\(+\)

\(120\)

\(0\)

\(1\)

\(2\)

\(3\)

\(4\)

\(5\)

\(6\)

\(7\)

\(8\)

\(9\)

\(a_2\)

\(a_1\)

\(a_0\)

\(c_3\)

\(c_5\)

\(c_4\)

\(c_6\)

\(c_7\)

\(c_8\)

\(a_9\)

\(a_3\)

\(a_5\)

\(a_4\)

\(a_6\)

\(a_7\)

\(a_8\)

\(b_8\)

\(b_7\)

\(b_4\)

\(b_6\)

\(b_5\)

\(b_3\)

An addition-gate for \(i = 8\)

1 \cdot a_8 + 1 \cdot b_8 + (-1) \cdot c_8 + 0 \cdot a_8 b_8 + 0 = 0

Towards Polynomials

\def\arraystretch{1.1} \begin{array}{cccccccc} 1\cdot a_0 &+& 0\cdot b_0 &+& 0\cdot c_0 &+& 0\cdot a_0b_0 &+& (-142) &=& 0 \\ 1\cdot a_1 &+& 0\cdot b_1 &+& 0\cdot c_1 &+& 0\cdot a_1b_1 &+& (-x) &=& 0 \\ 1\cdot a_2 &+& 0\cdot b_2 &+& 0\cdot c_2 &+& 0\cdot a_2b_2 &+& 23 &=& 0 \\ 0\cdot a_3 &+& 0\cdot b_3 &+& (-1)\cdot c_3 &+& 1\cdot a_3b_3 &+& 0 &=& 0 \\ 0\cdot a_4 &+& 0\cdot b_4 &+& (-1)\cdot c_4 &+& 1\cdot a_4b_4 &+& 0 &=& 0 \\ 0\cdot a_5 &+& 0\cdot b_5 &+& (-1)\cdot c_5 &+& 1\cdot a_5b_5 &+& 0 &=& 0 \\ 0\cdot a_6 &+& 0\cdot b_6 &+& (-1)\cdot c_6 &+& 1\cdot a_6b_6 &+& 0 &=& 0 \\ 1\cdot a_7 &+& 1\cdot b_7 &+& (-1)\cdot c_7 &+& 0\cdot a_7b_7 &+& 0 &=& 0 \\ 1\cdot a_8 &+& 1\cdot b_8 &+& (-1)\cdot c_8 &+& 0\cdot a_8b_8 &+& 0 &=& 0 \\ 1\cdot a_9 &+& 0\cdot b_9 &+& 0\cdot c_9 &+& 0\cdot a_9b_9 &+& (-120) &=& 0 \\ \end{array}

\(Q_L\)

Towards Polynomials

\def\arraystretch{1.1} \begin{array}{cccccccc} 1\cdot a_0 &+& 0\cdot b_0 &+& 0\cdot c_0 &+& 0\cdot a_0b_0 &+& (-142) &=& 0 \\ 1\cdot a_1 &+& 0\cdot b_1 &+& 0\cdot c_1 &+& 0\cdot a_1b_1 &+& (-x) &=& 0 \\ 1\cdot a_2 &+& 0\cdot b_2 &+& 0\cdot c_2 &+& 0\cdot a_2b_2 &+& 23 &=& 0 \\ 0\cdot a_3 &+& 0\cdot b_3 &+& (-1)\cdot c_3 &+& 1\cdot a_3b_3 &+& 0 &=& 0 \\ 0\cdot a_4 &+& 0\cdot b_4 &+& (-1)\cdot c_4 &+& 1\cdot a_4b_4 &+& 0 &=& 0 \\ 0\cdot a_5 &+& 0\cdot b_5 &+& (-1)\cdot c_5 &+& 1\cdot a_5b_5 &+& 0 &=& 0 \\ 0\cdot a_6 &+& 0\cdot b_6 &+& (-1)\cdot c_6 &+& 1\cdot a_6b_6 &+& 0 &=& 0 \\ 1\cdot a_7 &+& 1\cdot b_7 &+& (-1)\cdot c_7 &+& 0\cdot a_7b_7 &+& 0 &=& 0 \\ 1\cdot a_8 &+& 1\cdot b_8 &+& (-1)\cdot c_8 &+& 0\cdot a_8b_8 &+& 0 &=& 0 \\ 1\cdot a_9 &+& 0\cdot b_9 &+& 0\cdot c_9 &+& 0\cdot a_9b_9 &+& (-120) &=& 0 \\ \end{array}

\(Q_L\)

\(\cdot \ a\)

Towards Polynomials

\def\arraystretch{1.1} \begin{array}{cccccccc} 1\cdot a_0 &+& 0\cdot b_0 &+& 0\cdot c_0 &+& 0\cdot a_0b_0 &+& (-142) &=& 0 \\ 1\cdot a_1 &+& 0\cdot b_1 &+& 0\cdot c_1 &+& 0\cdot a_1b_1 &+& (-x) &=& 0 \\ 1\cdot a_2 &+& 0\cdot b_2 &+& 0\cdot c_2 &+& 0\cdot a_2b_2 &+& 23 &=& 0 \\ 0\cdot a_3 &+& 0\cdot b_3 &+& (-1)\cdot c_3 &+& 1\cdot a_3b_3 &+& 0 &=& 0 \\ 0\cdot a_4 &+& 0\cdot b_4 &+& (-1)\cdot c_4 &+& 1\cdot a_4b_4 &+& 0 &=& 0 \\ 0\cdot a_5 &+& 0\cdot b_5 &+& (-1)\cdot c_5 &+& 1\cdot a_5b_5 &+& 0 &=& 0 \\ 0\cdot a_6 &+& 0\cdot b_6 &+& (-1)\cdot c_6 &+& 1\cdot a_6b_6 &+& 0 &=& 0 \\ 1\cdot a_7 &+& 1\cdot b_7 &+& (-1)\cdot c_7 &+& 0\cdot a_7b_7 &+& 0 &=& 0 \\ 1\cdot a_8 &+& 1\cdot b_8 &+& (-1)\cdot c_8 &+& 0\cdot a_8b_8 &+& 0 &=& 0 \\ 1\cdot a_9 &+& 0\cdot b_9 &+& 0\cdot c_9 &+& 0\cdot a_9b_9 &+& (-120) &=& 0 \\ \end{array}

\(Q_L\)

\(\cdot \ a\)

\(Q_R\)

Towards Polynomials

\def\arraystretch{1.1} \begin{array}{cccccccc} 1\cdot a_0 &+& 0\cdot b_0 &+& 0\cdot c_0 &+& 0\cdot a_0b_0 &+& (-142) &=& 0 \\ 1\cdot a_1 &+& 0\cdot b_1 &+& 0\cdot c_1 &+& 0\cdot a_1b_1 &+& (-x) &=& 0 \\ 1\cdot a_2 &+& 0\cdot b_2 &+& 0\cdot c_2 &+& 0\cdot a_2b_2 &+& 23 &=& 0 \\ 0\cdot a_3 &+& 0\cdot b_3 &+& (-1)\cdot c_3 &+& 1\cdot a_3b_3 &+& 0 &=& 0 \\ 0\cdot a_4 &+& 0\cdot b_4 &+& (-1)\cdot c_4 &+& 1\cdot a_4b_4 &+& 0 &=& 0 \\ 0\cdot a_5 &+& 0\cdot b_5 &+& (-1)\cdot c_5 &+& 1\cdot a_5b_5 &+& 0 &=& 0 \\ 0\cdot a_6 &+& 0\cdot b_6 &+& (-1)\cdot c_6 &+& 1\cdot a_6b_6 &+& 0 &=& 0 \\ 1\cdot a_7 &+& 1\cdot b_7 &+& (-1)\cdot c_7 &+& 0\cdot a_7b_7 &+& 0 &=& 0 \\ 1\cdot a_8 &+& 1\cdot b_8 &+& (-1)\cdot c_8 &+& 0\cdot a_8b_8 &+& 0 &=& 0 \\ 1\cdot a_9 &+& 0\cdot b_9 &+& 0\cdot c_9 &+& 0\cdot a_9b_9 &+& (-120) &=& 0 \\ \end{array}

\(Q_L\)

\(\cdot \ a\)

\(Q_R\)

\(\cdot \ b\)

Towards Polynomials

\def\arraystretch{1.1} \begin{array}{cccccccc} 1\cdot a_0 &+& 0\cdot b_0 &+& 0\cdot c_0 &+& 0\cdot a_0b_0 &+& (-142) &=& 0 \\ 1\cdot a_1 &+& 0\cdot b_1 &+& 0\cdot c_1 &+& 0\cdot a_1b_1 &+& (-x) &=& 0 \\ 1\cdot a_2 &+& 0\cdot b_2 &+& 0\cdot c_2 &+& 0\cdot a_2b_2 &+& 23 &=& 0 \\ 0\cdot a_3 &+& 0\cdot b_3 &+& (-1)\cdot c_3 &+& 1\cdot a_3b_3 &+& 0 &=& 0 \\ 0\cdot a_4 &+& 0\cdot b_4 &+& (-1)\cdot c_4 &+& 1\cdot a_4b_4 &+& 0 &=& 0 \\ 0\cdot a_5 &+& 0\cdot b_5 &+& (-1)\cdot c_5 &+& 1\cdot a_5b_5 &+& 0 &=& 0 \\ 0\cdot a_6 &+& 0\cdot b_6 &+& (-1)\cdot c_6 &+& 1\cdot a_6b_6 &+& 0 &=& 0 \\ 1\cdot a_7 &+& 1\cdot b_7 &+& (-1)\cdot c_7 &+& 0\cdot a_7b_7 &+& 0 &=& 0 \\ 1\cdot a_8 &+& 1\cdot b_8 &+& (-1)\cdot c_8 &+& 0\cdot a_8b_8 &+& 0 &=& 0 \\ 1\cdot a_9 &+& 0\cdot b_9 &+& 0\cdot c_9 &+& 0\cdot a_9b_9 &+& (-120) &=& 0 \\ \end{array}

\(Q_L\)

\(\cdot \ a\)

\(Q_R\)

\(\cdot \ b\)

\(Q_O\)

\(\cdot \ c\)

Towards Polynomials

\def\arraystretch{1.1} \begin{array}{cccccccc} 1\cdot a_0 &+& 0\cdot b_0 &+& 0\cdot c_0 &+& 0\cdot a_0b_0 &+& (-142) &=& 0 \\ 1\cdot a_1 &+& 0\cdot b_1 &+& 0\cdot c_1 &+& 0\cdot a_1b_1 &+& (-x) &=& 0 \\ 1\cdot a_2 &+& 0\cdot b_2 &+& 0\cdot c_2 &+& 0\cdot a_2b_2 &+& 23 &=& 0 \\ 0\cdot a_3 &+& 0\cdot b_3 &+& (-1)\cdot c_3 &+& 1\cdot a_3b_3 &+& 0 &=& 0 \\ 0\cdot a_4 &+& 0\cdot b_4 &+& (-1)\cdot c_4 &+& 1\cdot a_4b_4 &+& 0 &=& 0 \\ 0\cdot a_5 &+& 0\cdot b_5 &+& (-1)\cdot c_5 &+& 1\cdot a_5b_5 &+& 0 &=& 0 \\ 0\cdot a_6 &+& 0\cdot b_6 &+& (-1)\cdot c_6 &+& 1\cdot a_6b_6 &+& 0 &=& 0 \\ 1\cdot a_7 &+& 1\cdot b_7 &+& (-1)\cdot c_7 &+& 0\cdot a_7b_7 &+& 0 &=& 0 \\ 1\cdot a_8 &+& 1\cdot b_8 &+& (-1)\cdot c_8 &+& 0\cdot a_8b_8 &+& 0 &=& 0 \\ 1\cdot a_9 &+& 0\cdot b_9 &+& 0\cdot c_9 &+& 0\cdot a_9b_9 &+& (-120) &=& 0 \\ \end{array}

\(Q_L\)

\(\cdot \ a\)

\(Q_R\)

\(\cdot \ b\)

\(Q_O\)

\(\cdot \ c\)

\(Q_M  \cdot ab\)

Towards Polynomials

\def\arraystretch{1.1} \begin{array}{cccccccc} 1\cdot a_0 &+& 0\cdot b_0 &+& 0\cdot c_0 &+& 0\cdot a_0b_0 &+& (-142) &=& 0 \\ 1\cdot a_1 &+& 0\cdot b_1 &+& 0\cdot c_1 &+& 0\cdot a_1b_1 &+& (-x) &=& 0 \\ 1\cdot a_2 &+& 0\cdot b_2 &+& 0\cdot c_2 &+& 0\cdot a_2b_2 &+& 23 &=& 0 \\ 0\cdot a_3 &+& 0\cdot b_3 &+& (-1)\cdot c_3 &+& 1\cdot a_3b_3 &+& 0 &=& 0 \\ 0\cdot a_4 &+& 0\cdot b_4 &+& (-1)\cdot c_4 &+& 1\cdot a_4b_4 &+& 0 &=& 0 \\ 0\cdot a_5 &+& 0\cdot b_5 &+& (-1)\cdot c_5 &+& 1\cdot a_5b_5 &+& 0 &=& 0 \\ 0\cdot a_6 &+& 0\cdot b_6 &+& (-1)\cdot c_6 &+& 1\cdot a_6b_6 &+& 0 &=& 0 \\ 1\cdot a_7 &+& 1\cdot b_7 &+& (-1)\cdot c_7 &+& 0\cdot a_7b_7 &+& 0 &=& 0 \\ 1\cdot a_8 &+& 1\cdot b_8 &+& (-1)\cdot c_8 &+& 0\cdot a_8b_8 &+& 0 &=& 0 \\ 1\cdot a_9 &+& 0\cdot b_9 &+& 0\cdot c_9 &+& 0\cdot a_9b_9 &+& (-120) &=& 0 \\ \end{array}

\(Q_L\)

\(\cdot \ a\)

\(Q_R\)

\(\cdot \ b\)

\(Q_O\)

\(\cdot \ c\)

\(Q_M  \cdot ab\)

\(Q_C\)

\(+\)

\(+\)

\(+\)

\(+\)

\(=\)

\(0\)

Towards Polynomials

\def\arraystretch{1.1} \begin{array}{cccccccc} 1\cdot a_0 &+& 0\cdot b_0 &+& 0\cdot c_0 &+& 0\cdot a_0b_0 &+& (-142) &=& 0 \\ 1\cdot a_1 &+& 0\cdot b_1 &+& 0\cdot c_1 &+& 0\cdot a_1b_1 &+& (-x) &=& 0 \\ 1\cdot a_2 &+& 0\cdot b_2 &+& 0\cdot c_2 &+& 0\cdot a_2b_2 &+& 23 &=& 0 \\ 0\cdot a_3 &+& 0\cdot b_3 &+& (-1)\cdot c_3 &+& 1\cdot a_3b_3 &+& 0 &=& 0 \\ 0\cdot a_4 &+& 0\cdot b_4 &+& (-1)\cdot c_4 &+& 1\cdot a_4b_4 &+& 0 &=& 0 \\ 0\cdot a_5 &+& 0\cdot b_5 &+& (-1)\cdot c_5 &+& 1\cdot a_5b_5 &+& 0 &=& 0 \\ 0\cdot a_6 &+& 0\cdot b_6 &+& (-1)\cdot c_6 &+& 1\cdot a_6b_6 &+& 0 &=& 0 \\ 1\cdot a_7 &+& 1\cdot b_7 &+& (-1)\cdot c_7 &+& 0\cdot a_7b_7 &+& 0 &=& 0 \\ 1\cdot a_8 &+& 1\cdot b_8 &+& (-1)\cdot c_8 &+& 0\cdot a_8b_8 &+& 0 &=& 0 \\ 1\cdot a_9 &+& 0\cdot b_9 &+& 0\cdot c_9 &+& 0\cdot a_9b_9 &+& (-120) &=& 0 \\ \end{array}

\(Q_L\)

\(\cdot \ a\)

\(Q_R\)

\(\cdot \ b\)

\(Q_O\)

\(\cdot \ c\)

\(Q_M  \cdot ab\)

\(Q_C\)

\(+\)

\(+\)

\(+\)

\(+\)

\(=\)

\(0\)

Selector polynomials

Wire polynomials

Polynomial Representation

\(Q_C(X)\)

\begin{array}{lr} (1, & \hspace{-3mm} -142) \\ (\omega, & \hspace{-3mm} -10) \\ (\omega^2, & \hspace{-3mm} 23) \\ (\omega^3, & \hspace{-3mm} 0) \\ (\omega^4, & \hspace{-3mm} 0) \\ (\omega^5, & \hspace{-3mm} 0) \\ (\omega^6, & \hspace{-3mm} 0) \\ (\omega^7, & \hspace{-3mm} 0) \\ (\omega^8, & \hspace{-3mm} 0) \\ (\omega^9, & \hspace{-3mm} 120) \\ \end{array}

Proof of Knowledge

Coke from Bottle

Coke from Can

Victor

Peter

\(x\)

\(V\)

\(P\)

Coke from Can

Victor

Peter

Guess?

Bottle!

\langle P, V \rangle (x) = \begin{cases} 1 & \text{if } V \text{ accepts} \\ 0 & \text{if } V \text{ rejects} \end{cases}

Proof of Knowledge

Coke from Bottle

Coke from Can

Victor

Peter

Try again!

Proof of Knowledge

Coke from Bottle

Victor

Peter

Can!

If \(P\) actually knows the taste, \( \Pr[ \langle P,V \rangle(x) = 1 ]\) = 1

If \(P\)'s claim is wrong, \( \Pr[ \langle P,V \rangle(x) = 1 ] = \left(\frac{1}{2}\right)^2 \)

\(\implies\) Completeness!

\(\implies\) Soundness!

Proof of Knowledge

Zero Knowledge Proofs

Zero Knowledge Proofs

Reveal!

Zero Knowledge Proofs

Zero Knowledge Proofs

Zero Knowledge Proofs

Zero Knowledge Proofs

Reveal!

Zero Knowledge Proofs

Zero Knowledge Proofs

On repeating the experiment a number of times, 

  • If the prover is honest, verifier accepts!
  • If the prover is cheating, verifier will catch it!
  • No information about 3-colouring is revealed! 

\(\text{Completeness,}\)

\(\text{Soundness,}\)

\(\text{Zero-Knowledge!}\)

Promise of ZKPs

Made with Slides.com