Skip to main content

PlonK

In this chapter, we will present the construction of GWC19, i.e., permutations over Lagrange-bases for Oecumenical Noninteractive arguments of Knowledge.

PlonK is a succinct non-interactive zero-knowledge argument (SNARK) system that proves the correct execution of a program, i.e., in this case, an arithmetic circuit with only addition (+)(+) and multiplication ()(\cdot) operations.

As an overview of the construction, we separate it into 22 parts. First, we transform the arithmetic circuit into a set of constraints, called arithmetization and represented under some form of polynomials. Then, by applying some proof technique, it compiles the arithmetization into the proof.

Author(s): khaihanhtang

Plonk's Arithmetization

PlonK's arithmetization GWC19 breaks the circuit into a batch of gates, namely, multiplications, additions, multiplications with constants and additions with constants. For each gate, the operation is transformed into a unified form with respective selectors, uniquely determined by the gate without assigned inputs and output. On the other hand, since breaking circuit into gates introduces the inconsistencies among wires, we additionally apply copy constraints to wires to guarantee that such inconsistencies unavailable.

We describe circuit specification in Circuit Specification. Then, we discuss how to break the circuit into gates and label wires in Breaking Circuit. Then we present unified form of gate constraints in Gate Constraints and handling copy constraints in Copy Constraints.

Circuit Specification

Let F\mathbb{F} be a finite field. In this section, we describe the arithmetic circuit whose operations are over F\mathbb{F}.

Let inN\ell_{\mathsf{in}} \in \mathbb{N} be the number of input wires of the circuit C\mathcal{C}. Assume that C\mathcal{C} has exactly nn gates. Each gate takes at most 22 wires as inputs and returns 11 output wires. In particular,

  • Addition and multiplications gates takes 22 inputs and return 11 output.
  • Gates of additions and multiplications with constants take 11 input and return 11 output.

Let's take a look at the following example.

Assume that f(u,v)=u2+3uv+v+5f(u, v) = u^2 + 3uv + v + 5. Then the sequence are arranged in the following constraints, wrapped as below.

{z1=uu(multiplication),z2=uv(multiplication),z3=z23(multiplication with constant),z4=z1+z3(addition),z5=z4+v(addition),z6=z5+5(addition with constant).\left\{ \begin{array}{l} z_1 = u \cdot u &\text{(multiplication)}, \\ z_2 = u \cdot v &\text{(multiplication)}, \\ z_3 = z_2 \cdot 3 &\text{(multiplication with constant)}, \\ z_4 = z_1 + z_3 &\text{(addition)}, \\ z_5 = z_4 + v &\text{(addition)}, \\ z_6 = z_5 + 5 &\text{(addition with constant)}. \end{array}\right.

The input size is in=2\ell_{\mathsf{in}} = 2 for variables u,vu, v and the output is z6z_6.

Breaking Circuit

To break the circuit into gates with wires separated, namely, no wire involves to 22 or more gates, we use a set of labels I=a1,,an,b1,,bn,c1,,cn\mathcal{I} = \\{a_1, \dots, a_n, b_1, \dots, b_n, c_1, \dots, c_n\\} to denote the wire label of each gate. Let x:IFx : \mathcal{I} \to \mathbb{F} be the function mapping wires to their respective wire values. Hence, x(id)x(id) represents the value at wire idIid \in \mathcal{I} For simplicity, we write xidx_{id}, in place of x(id)x(id), for any idIid \in \mathcal{I}.

Specifically, for each i1,,ni \in \\{1, \dots, n\\}, we denote by

  • xci=xaixbix_{c_i} = x_{a_i}\circ x_{b_i} to denote the computation where \circ is either addition or multiplication.
  • xci=xaicx_{c_i} = x_{a_i}\circ c to denote the computation where \circ is either addition or multiplication with constant and cc is the constant.

At this point, we may be curious what value xbix_{b_i} takes if \circ is operation with constant. In fact, in this case xbix_{b_i} can be seen as garbage and can take any value from F\mathbb{F}. This value will affect neither security nor correctness of the system since the constraints in PlonK's arithmetization guarantee that such a compromise will not happen.

Let's take a look at the following example, taken from Circuit Specification.

We have f(u,v)=u2+3uv+v+5f(u, v) = u^2 + 3uv + v + 5 and the constraints below.

{z1=uu(multiplication),z2=uv(multiplication),z3=z23(multiplication with constant),z4=z1+z3(addition),z5=z4+v(addition),z6=z5+5(addition with constant).\left\{ \begin{array}{l} z_1 = u \cdot u &\text{(multiplication)}, \\ z_2 = u \cdot v &\text{(multiplication)}, \\ z_3 = z_2 \cdot 3 &\text{(multiplication with constant)}, \\ z_4 = z_1 + z_3 &\text{(addition)}, \\ z_5 = z_4 + v &\text{(addition)}, \\ z_6 = z_5 + 5 &\text{(addition with constant)}. \end{array}\right.

By breaking circuit, we have the following constraints with respect to the above format, namely, using I={a1,,a6,b1,,b6,c1,,c6}\mathcal{I} = \{a_1, \dots, a_6, b_1, \dots, b_6, c_1, \dots, c_6\}, where n=6n = 6, and x:IFx : \mathcal{I}\to \mathbb{F}.

{xc1=xa1xb1,xc2=xa2xb2,xc3=xa33,xc4=xa4+xb4,xc5=xa5+xb5,xc6=xa6+5 where {u=xa1=xa2=xb1,v=xb2=xb5,z1=xa4=xc1,z2=xa3=xc2,z3=xb4=xc3,z4=xa5=xc4,z5=xa6=xc5,z6=xc6.\left\{ \begin{array}{l} x_{c_1} = x_{a_1} \cdot x_{b_1}, \\ x_{c_2} = x_{a_2} \cdot x_{b_2}, \\ x_{c_3} = x_{a_3} \cdot 3, \\ x_{c_4} = x_{a_4} + x_{b_4}, \\ x_{c_5} = x_{a_5} + x_{b_5}, \\ x_{c_6} = x_{a_6} + 5 \end{array}\right.\text{ where } \left\{ \begin{array}{l} u = x_{a_1} = x_{a_2} = x_{b_1}, \\ v = x_{b_2} = x_{b_5}, \\ z_1 = x_{a_4} = x_{c_1}, \\ z_2 = x_{a_3} = x_{c_2}, \\ z_3 = x_{b_4} = x_{c_3}, \\ z_4 = x_{a_5} = x_{c_4}, \\ z_5 = x_{a_6} = x_{c_5}, \\ z_6 = x_{c_6}. \end{array}\right.

Notice that vb3v_{b_3} and vb6v_{b_6} are dismissed. These values can be any elements from F\mathbb{F} and do not have any effect to the arithmetization.

For equations in the system guaranteeing the correct computation of the operation, we call them gate constraints. For equations in the system guaranteeing the equalities, or consistencies, among wires, we call them copy constraints.

We first discuss the transformation of gate constraints into a common unified form with publicly determined selectors in Gate Constraints. Then, we discuss the method for guaranteeing copy constraints in Copy Constraints.

Gate constraints

At this stage, for each i1,,ni \in \\{1,\dots, n\\}, we need to transform the computation of each gate to a unified form as follows: qiOxci+qiLxai+qiRxbi+qiM(xaixbi)+qiC=0q^O_i \cdot x_{c_i} + q^L_i \cdot x_{a_i} + q^R_i \cdot x_{b_i} + q^M_i \cdot (x_{a_i} \cdot x_{b_i}) + q^C_i = 0 where qiO,qiL,qiR,qiM,qiCq_i^O, q_i^L, q_i^R, q_i^M, q_i^C are selectors uniquely determined by the corresponding gate. In particular,

  • For addition gate, (qiO,qiL,qiR,qiM,qiC)=(1,1,1,0,0)(q_i^O, q_i^L, q_i^R, q_i^M, q_i^C) = (-1, 1, 1, 0, 0) since (1)xci+1xai+1xbi+0(xaixbi)+0=0(-1) \cdot x_{c_i} + 1 \cdot x_{a_i} + 1 \cdot x_{b_i} + 0 \cdot (x_{a_i} \cdot x_{b_i}) + 0 = 0 is equivalent to xci=xai+xbix_{c_i} = x_{a_i} + x_{b_i}.

  • For multiplication gate, (qiO,qiL,qiR,qiM,qiC)=(1,0,0,1,0)(q_i^O, q_i^L, q_i^R, q_i^M, q_i^C) = (-1, 0, 0, 1, 0) since (1)xci+0xai+0xbi+1(xaixbi)+0=0(-1) \cdot x_{c_i} + 0 \cdot x_{a_i} + 0 \cdot x_{b_i} + 1 \cdot (x_{a_i} \cdot x_{b_i}) + 0 = 0 is equivalent to xci=xaixbix_{c_i} = x_{a_i} \cdot x_{b_i}.

  • For gate of addition with constant, (qiO,qiL,qiR,qiM,qiC)=(1,1,0,0,c)(q_i^O, q_i^L, q_i^R, q_i^M, q_i^C) = (-1, 1, 0, 0, c) since (1)xci+1xai+0xbi+0(xaixbi)+c=0(-1) \cdot x_{c_i} + 1 \cdot x_{a_i} + 0 \cdot x_{b_i} + 0 \cdot (x_{a_i} \cdot x_{b_i}) + c = 0 is equivalent to xci=xai+cx_{c_i} = x_{a_i} + c.

  • For gate of multiplication with constant, (qiO,qiL,qiR,qiM,qiC)=(1,c,0,0,0)(q_i^O, q_i^L, q_i^R, q_i^M, q_i^C) = (-1, c, 0, 0, 0) since (1)xci+cxai+0xbi+0(xaixbi)+0=0(-1) \cdot x_{c_i} + c \cdot x_{a_i} + 0 \cdot x_{b_i} + 0 \cdot (x_{a_i} \cdot x_{b_i}) + 0 = 0 is equivalent to xci=xaicx_{c_i} = x_{a_i} \cdot c.

We now take a look at the example achieved above, i.e.,

{xc1=xa1xb1,xc2=xa2xb2,xc3=xa33,xc4=xa4+xb4,xc5=xa5+xb5,xc6=xa6+5.\left\{ \begin{array}{l} x_{c_1} = x_{a_1} \cdot x_{b_1}, \\ x_{c_2} = x_{a_2} \cdot x_{b_2}, \\ x_{c_3} = x_{a_3} \cdot 3, \\ x_{c_4} = x_{a_4} + x_{b_4}, \\ x_{c_5} = x_{a_5} + x_{b_5}, \\ x_{c_6} = x_{a_6} + 5. \end{array}\right.

In this example, we can transform the above system of equation into the unified form as follows:

{(1)xc1+0xa1+0xb1+1(xa1xb1)+0=0,(1)xc2+0xa2+0xb2+1(xa2xb2)+0=0,(1)xc3+3xa3+0xb3+0(xa3xb3)+0=0,(1)xc4+1xa4+1xb4+0(xa4xb4)+0=0,(1)xc5+1xa5+1xb5+0(xa5xb5)+0=0,(1)xc6+1xa6+0xb6+0(xa6xb6)+5=0.\left\{ \begin{array}{l} (-1) \cdot x_{c_1} + 0 \cdot x_{a_1} + 0 \cdot x_{b_1} + 1 \cdot (x_{a_1} \cdot x_{b_1}) + 0 = 0, \\ (-1) \cdot x_{c_2} + 0 \cdot x_{a_2} + 0 \cdot x_{b_2} + 1 \cdot (x_{a_2} \cdot x_{b_2}) + 0 = 0, \\ (-1) \cdot x_{c_3} + 3 \cdot x_{a_3} + 0 \cdot x_{b_3} + 0 \cdot (x_{a_3} \cdot x_{b_3}) + 0 = 0, \\ (-1) \cdot x_{c_4} + 1 \cdot x_{a_4} + 1 \cdot x_{b_4} + 0 \cdot (x_{a_4} \cdot x_{b_4}) + 0 = 0, \\ (-1) \cdot x_{c_5} + 1 \cdot x_{a_5} + 1 \cdot x_{b_5} + 0 \cdot (x_{a_5} \cdot x_{b_5}) + 0 = 0, \\ (-1) \cdot x_{c_6} + 1 \cdot x_{a_6} + 0 \cdot x_{b_6} + 0 \cdot (x_{a_6} \cdot x_{b_6}) + 5 = 0. \end{array}\right.

Copy Constraints

Recall that gate constraints do not enforce the equalities of wire values making inconsistencies across the circuit. We generalize copy constraints to the following problem.

Let k{1,,3n}k \in \{1, \dots, 3n\} and {i1,,ik}I\{i_1, \dots, i_k\} \subseteq \mathcal{I} satisfying i1<i2<<iki_1 < i_2 < \dots < i_k. We would like to show that

xi1=xi2==xik. x_{i_1} = x_{i_2} = \dots = x_{i_k}.

The technique for proving this problem is tricky. We form the pairs of index-value and make them into a sequence

((i1,xi1),(i2,xi2),,(ik,xik)). \big((i_1, x_{i_1}), (i_2, x_{i_2}), \dots, (i_k, x_{i_k})\big).

It can be observed that if xi1=xi2==xikx_{i_1} = x_{i_2} = \dots = x_{i_k}, then, if we rotate the indices among the pairs, we achieve a sequence

((ik,xi1),(i1,xi2),,(ik1,xik)) \big((i_k, x_{i_1}), (i_1, x_{i_2}), \dots, (i_{k - 1}, x_{i_k})\big)

that is permutation of the previous sequence. Notice that we just rotated the indices 11 step to the left and this is the recommended rotation. This fact helps imply the other direction of the fact. For more details, we use the following observation

Observation. ((i1,xi1),(i2,xi2),,(ik,xik))\big((i_1, x_{i_1}), (i_2, x_{i_2}), \dots, (i_k, x_{i_k})\big) is a permutation of ((ik,xi1),(i1,xi2),,(ik1,xik))\big((i_k, x_{i_1}), (i_1, x_{i_2}), \dots, (i_{k - 1}, x_{i_k})\big) if and only if xi1=xi2==xikx_{i_1} = x_{i_2} = \dots = x_{i_k}.

Proof. The proof is as follows:

"\Leftarrow": This direction is straightforward.

"\Rightarrow": Since the two sequences are permutation of each other, for j1,,kj \in \\{1, \dots, k\\} we consider (ij,xij)(i_j, x_{i_j}) from the first sequence. It can be seen that (ij,xi(jmodk)+1)(i_j, x_{i_{(j \mod k) + 1}}) from the second sequence is the only one that is equal j1,,kj \in \\{1, \dots, k\\} since they share the unique prefix iji_j. Hence, xij=xi(jmodk)+1x_{i_j} = x_{i_{(j \mod k) + 1}}. Following this argument, we see that xi1=xi2,xi2=xi3,,xik1=xik,xik=xi1x_{i_1} = x_{i_2}, x_{i_2} = x_{i_3}, \dots, x_{i_{k - 1}} = x_{i_k}, x_{i_k} = x_{i_1}. Thus, xi1=xi2==xikx_{i_1} = x_{i_2} = \dots = x_{i_k}.

General paradigm for proving copy constraints of the entire circuit

Recall that x:IFx : \mathcal{I} \to \mathbb{F}. We can deterministically determine a partition of I\mathcal{I} such that

I=j=1in+nIj \mathcal{I} = \bigcup_{j = 1}^{\ell_{\mathsf{in}} + n} \mathcal{I}_j

where in+n\ell_{\mathsf{in}} + n is the number of wires of the original circuits, namely, in\ell_{\mathsf{in}} input wires and nn output wires of all gates. Hence each subset Ij\mathcal{I}_j is the set of wire labels whose value are all equal to the same wire value of the original circuit. We hence obtain a rotation of indices for each subset Ij\mathcal{I}_j. By unifying all those rotations, we achieve a permutation σ:II\sigma : \mathcal{I}\to\mathcal{I} such that

((a1,xa1),,(an,xan),(b1,xb1),,(bn,xbn),(c1,xc1),,(cn,xcn)) \big((a_1, x_{a_1}), \dots, (a_n, x_{a_n}), (b_1, x_{b_1}), \dots, (b_n, x_{b_n}), (c_1, x_{c_1}), \dots, (c_n, x_{c_n})\big)

is a permutation of

((σ(a1),xa1),,(σ(an),xan),(σ(b1),xb1),,(σ(bn),xbn),(σ(c1),xc1),,(σ(cn),xcn)). \big((\sigma(a_1), x_{a_1}), \dots, (\sigma(a_n), x_{a_n}), (\sigma(b_1), x_{b_1}), \dots, (\sigma(b_n), x_{b_n}), (\sigma(c_1), x_{c_1}), \dots, (\sigma(c_n), x_{c_n})\big).

Such guaranteed permutation relation implies the consistencies among wires of the circuit.

Recall the example in Breaking Circuit with the following copy constraints.

{u=xa1=xa2=xb1,v=xb2=xb5,z1=xa4=xc1,z2=xa3=xc2,z3=xb4=xc3,z4=xa5=xc4,z5=xa6=xc5,z6=xc6.\left\{ \begin{array}{l} u = x_{a_1} = x_{a_2} = x_{b_1}, \\ v = x_{b_2} = x_{b_5}, \\ z_1 = x_{a_4} = x_{c_1}, \\ z_2 = x_{a_3} = x_{c_2}, \\ z_3 = x_{b_4} = x_{c_3}, \\ z_4 = x_{a_5} = x_{c_4}, \\ z_5 = x_{a_6} = x_{c_5}, \\ z_6 = x_{c_6}. \end{array}\right.

We achieve the partition

{{a1,a2,b1},{b2,b5},{a4,c1},{a3,c2},{b4,c3},{a5,c4},{a6,c5},{c6}}. \big\{\{a_1, a_2, b_1\}, \{b_2, b_5\}, \{a_4, c_1\}, \{a_3, c_2\}, \{b_4, c_3\}, \{a_5, c_4\}, \{a_6, c_5\}, \{c_6\}\big\}.

We hence can achive the permutation σ:II\sigma: \mathcal{I}\to\mathcal{I} as follows:

{σ(a1)=b1,σ(a2)=a1,σ(b1)=a2,σ(b2)=b5,σ(b5)=b2,σ(a4)=c1,σ(c1)=a4,σ(a3)=c2,σ(c2)=a3,σ(b4)=c3,σ(c3)=b4,σ(a5)=c4,σ(c4)=a5,σ(a6)=c5,σ(c5)=a6,σ(c6)=c6.\left\{ \begin{array}{l} \sigma(a_1) = b_1, &\sigma(a_2) = a_1, &\sigma(b_1) = a_2, \\ \sigma(b_2) = b_5, &\sigma(b_5) = b_2, \\ \sigma(a_4) = c_1, &\sigma(c_1) = a_4, \\ \sigma(a_3) = c_2, &\sigma(c_2) = a_3, \\ \sigma(b_4) = c_3, &\sigma(c_3) = b_4, \\ \sigma(a_5) = c_4, &\sigma(c_4) = a_5, \\ \sigma(a_6) = c_5, &\sigma(c_5) = a_6, \\ \sigma(c_6) = c_6. \end{array} \right.