Plonk Made Simple

Aztec Study Club - Session 7

13th April 2022

Pythagorean Triplet

  • A triplet of three numbers \((a, b, c) \in \mathbb{N}\) such that \(a < b < c\) and
a^2+b^2=c^2
  • Examples: \((3,4,5)\) or \((5,11,12)\)
  • Can we express this using \(\textsf{add, mul}\) gates?
b
c
a
a

\(\ast\)

b

\(\ast\)

c

\(\ast\)

\(+\)

\(-\)

\textsf{out} = 0
a^2
b^2
c^2
a^2+b^2

Arithmetic Circuit

x_1

\(\ast\)

x_2

\(\ast\)

x_3

\(\ast\)

\(+\)

x_4
x_5
x_6
  • Each gate has three wires: \(w_l, w_r, w_o\)
\textcolor{gray}{0\cdot} x_1 + \textcolor{gray}{0\cdot}x_1 + \textcolor{gray}{1\cdot}(x_1x_1) \textcolor{gray}{-1\cdot}x_4 + \textcolor{gray}{0} = 0
\textcolor{gray}{1\cdot}x_4 + \textcolor{gray}{1\cdot}x_5 + \textcolor{gray}{0\cdot}(x_4x_5) \textcolor{gray}{-1\cdot}x_6 + 0 = 0
1
2
3
4
x_1
x_1
x_4
x_1^2 = x_4
x_2
x_2
x_5
x_2^2=x_5
x_3
x_3
x_6
x_3^2=x_6
x_4
x_5
x_6
x_4+x_5=x_6
\textcolor{gray}{0\cdot} x_2 + \textcolor{gray}{0\cdot}x_2 + \textcolor{gray}{1\cdot}(x_2x_2) \textcolor{gray}{-1\cdot}x_5 + \textcolor{gray}{0} = 0
\textcolor{gray}{0\cdot} x_3 + \textcolor{gray}{0\cdot}x_3 + \textcolor{gray}{1\cdot}(x_3x_3) \textcolor{gray}{-1\cdot}x_6 + \textcolor{gray}{0} = 0
  • Gate constraint: \(\textcolor{gray}{q_l\cdot}w_l + \textcolor{gray}{q_r\cdot}w_r + \textcolor{gray}{q_m\cdot}w_lw_r + \textcolor{gray}{q_o\cdot}w_o + \textcolor{gray}{q_c} = 0\)
w_l
w_r
w_o
\text{Constraint}
i

Selectors

Witnesses

Arithmetic Circuit

x_1

\(\ast\)

x_2

\(\ast\)

x_3

\(\ast\)

\(+\)

x_4
x_5
x_6
  • Each gate has three wires: \(w_l, w_r, w_o\)
1
2
3
4
x_1
x_1
x_4
x_1^2 = x_4
x_2
x_2
x_5
x_2^2=x_5
x_3
x_3
x_6
x_3^2=x_6
x_4
x_5
x_6
x_4+x_5=x_6
  • Copy constraints:
w_l
w_r
w_o
\text{Constraint}
i
\begin{aligned} (w_{o})_1 = (w_l)_4 \\[5pt] (w_{o})_2 = (w_r)_4 \\[5pt] (w_{o})_3 = (w_o)_4 \end{aligned}
1
2
3
4
  • We can combine gate and copy constraints in a single huge equation!

All Hail Polynomials

  • How do we prove the correctness of a set of equations?
\textcolor{gray}{0\cdot} x_1 + \textcolor{gray}{0\cdot}x_1 + \textcolor{gray}{1\cdot}(x_1x_1) \textcolor{gray}{-1\cdot}x_4 + \textcolor{gray}{0} = 0
\textcolor{gray}{1\cdot}x_4 + \textcolor{gray}{1\cdot}x_5 + \textcolor{gray}{0\cdot}(x_4x_5) \textcolor{gray}{-1\cdot}x_6 + \textcolor{gray}{0} = 0
\textcolor{gray}{0\cdot} x_2 + \textcolor{gray}{0\cdot}x_2 + \textcolor{gray}{1\cdot}(x_2x_2) \textcolor{gray}{-1\cdot}x_5 + \textcolor{gray}{0} = 0
\textcolor{gray}{0\cdot} x_3 + \textcolor{gray}{0\cdot}x_3 + \textcolor{gray}{1\cdot}(x_3x_3) \textcolor{gray}{-1\cdot}x_6 + \textcolor{gray}{0} = 0
\textcolor{gray}{q_l(X)}w_l(X) + \textcolor{gray}{q_r(X)}w_r(X) + \textcolor{gray}{q_m(X)}w_l(X)w_r(X) + \textcolor{gray}{q_o(X)}w_o(X) + \textcolor{gray}{q_c}(X) = 0

All Hail Polynomials

  • How do we prove the correctness of a set of equations?
\textcolor{gray}{0\cdot} x_1 + \textcolor{gray}{0\cdot}x_1 + \textcolor{gray}{1\cdot}(x_1x_1) \textcolor{gray}{-1\cdot}x_4 + \textcolor{gray}{0} = 0
\textcolor{gray}{1\cdot}x_4 + \textcolor{gray}{1\cdot}x_5 + \textcolor{gray}{0\cdot}(x_4x_5) \textcolor{gray}{-1\cdot}x_6 + \textcolor{gray}{0} = 0
\textcolor{gray}{0\cdot} x_2 + \textcolor{gray}{0\cdot}x_2 + \textcolor{gray}{1\cdot}(x_2x_2) \textcolor{gray}{-1\cdot}x_5 + \textcolor{gray}{0} = 0
\textcolor{gray}{0\cdot} x_3 + \textcolor{gray}{0\cdot}x_3 + \textcolor{gray}{1\cdot}(x_3x_3) \textcolor{gray}{-1\cdot}x_6 + \textcolor{gray}{0} = 0
\textcolor{gray}{q_l(X)}w_l(X) + \textcolor{gray}{q_r(X)}w_r(X) + \textcolor{gray}{q_m(X)}w_l(X)w_r(X) + \textcolor{gray}{q_o(X)}w_o(X) + \textcolor{gray}{q_c}(X) = 0

All Hail Polynomials

  • How do we prove the correctness of a set of equations?
\textcolor{gray}{0\cdot} x_1 + \textcolor{gray}{0\cdot}x_1 + \textcolor{gray}{1\cdot}(x_1x_1) \textcolor{gray}{-1\cdot}x_4 + \textcolor{gray}{0} = 0
\textcolor{gray}{1\cdot}x_4 + \textcolor{gray}{1\cdot}x_5 + \textcolor{gray}{0\cdot}(x_4x_5) \textcolor{gray}{-1\cdot}x_6 + \textcolor{gray}{0} = 0
\textcolor{gray}{0\cdot} x_2 + \textcolor{gray}{0\cdot}x_2 + \textcolor{gray}{1\cdot}(x_2x_2) \textcolor{gray}{-1\cdot}x_5 + \textcolor{gray}{0} = 0
\textcolor{gray}{0\cdot} x_3 + \textcolor{gray}{0\cdot}x_3 + \textcolor{gray}{1\cdot}(x_3x_3) \textcolor{gray}{-1\cdot}x_6 + \textcolor{gray}{0} = 0
\textcolor{gray}{q_l(X)}w_l(X) + \textcolor{gray}{q_r(X)}w_r(X) + \textcolor{gray}{q_m(X)}w_l(X)w_r(X) + \textcolor{gray}{q_o(X)}w_o(X) + \textcolor{gray}{q_c}(X) = 0

All Hail Polynomials

  • How do we prove the correctness of a set of equations?
\textcolor{gray}{0\cdot} x_1 + \textcolor{gray}{0\cdot}x_1 + \textcolor{gray}{1\cdot}(x_1x_1) \textcolor{gray}{-1\cdot}x_4 + \textcolor{gray}{0} = 0
\textcolor{gray}{1\cdot}x_4 + \textcolor{gray}{1\cdot}x_5 + \textcolor{gray}{0\cdot}(x_4x_5) \textcolor{gray}{-1\cdot}x_6 + \textcolor{gray}{0} = 0
\textcolor{gray}{0\cdot} x_2 + \textcolor{gray}{0\cdot}x_2 + \textcolor{gray}{1\cdot}(x_2x_2) \textcolor{gray}{-1\cdot}x_5 + \textcolor{gray}{0} = 0
\textcolor{gray}{0\cdot} x_3 + \textcolor{gray}{0\cdot}x_3 + \textcolor{gray}{1\cdot}(x_3x_3) \textcolor{gray}{-1\cdot}x_6 + \textcolor{gray}{0} = 0
\textcolor{gray}{q_l(X)}w_l(X) + \textcolor{gray}{q_r(X)}w_r(X) + \textcolor{gray}{q_m(X)}w_l(X)w_r(X) + \textcolor{gray}{q_o(X)}w_o(X) + \textcolor{gray}{q_c}(X) = 0

All Hail Polynomials

  • How do we prove the correctness of a set of equations?
\textcolor{gray}{0\cdot} x_1 + \textcolor{gray}{0\cdot}x_1 + \textcolor{gray}{1\cdot}(x_1x_1) \textcolor{gray}{-1\cdot}x_4 + \textcolor{gray}{0} = 0
\textcolor{gray}{1\cdot}x_4 + \textcolor{gray}{1\cdot}x_5 + \textcolor{gray}{0\cdot}(x_4x_5) \textcolor{gray}{-1\cdot}x_6 + \textcolor{gray}{0} = 0
\textcolor{gray}{0\cdot} x_2 + \textcolor{gray}{0\cdot}x_2 + \textcolor{gray}{1\cdot}(x_2x_2) \textcolor{gray}{-1\cdot}x_5 + \textcolor{gray}{0} = 0
\textcolor{gray}{0\cdot} x_3 + \textcolor{gray}{0\cdot}x_3 + \textcolor{gray}{1\cdot}(x_3x_3) \textcolor{gray}{-1\cdot}x_6 + \textcolor{gray}{0} = 0
\textcolor{gray}{q_l(X)}w_l(X) + \textcolor{gray}{q_r(X)}w_r(X) + \textcolor{gray}{q_m(X)}w_l(X)w_r(X) + \textcolor{gray}{q_o(X)}w_o(X) + \textcolor{gray}{q_c}(X) = 0

All Hail Polynomials

  • How do we prove the correctness of a set of equations?
\textcolor{gray}{0\cdot} x_1 + \textcolor{gray}{0\cdot}x_1 + \textcolor{gray}{1\cdot}(x_1x_1) \textcolor{gray}{-1\cdot}x_4 + \textcolor{gray}{0} = 0
\textcolor{gray}{1\cdot}x_4 + \textcolor{gray}{1\cdot}x_5 + \textcolor{gray}{0\cdot}(x_4x_5) \textcolor{gray}{-1\cdot}x_6 + \textcolor{gray}{0} = 0
\textcolor{gray}{0\cdot} x_2 + \textcolor{gray}{0\cdot}x_2 + \textcolor{gray}{1\cdot}(x_2x_2) \textcolor{gray}{-1\cdot}x_5 + \textcolor{gray}{0} = 0
\textcolor{gray}{0\cdot} x_3 + \textcolor{gray}{0\cdot}x_3 + \textcolor{gray}{1\cdot}(x_3x_3) \textcolor{gray}{-1\cdot}x_6 + \textcolor{gray}{0} = 0
\textcolor{gray}{q_l(X)}w_l(X) + \textcolor{gray}{q_r(X)}w_r(X) + \textcolor{gray}{q_m(X)}w_l(X)w_r(X) + \textcolor{gray}{q_o(X)}w_o(X) + \textcolor{gray}{q_c}(X) = 0
  • Gate constraints done! What about copy constraints?
\begin{bmatrix} \textcolor{orange}{a_1} \\ \textcolor{green}{a_2} \\ \textcolor{violet}{a_3} \end{bmatrix}
\begin{bmatrix} \textcolor{green}{b_1} \\ \textcolor{violet}{b_2} \\ \textcolor{orange}{b_3} \end{bmatrix}
(\textcolor{orange}{a_1} + 1\beta)\cdot(\textcolor{green}{a_2} + 2\beta)\cdot(\textcolor{violet}{a_2} + 3\beta) \ =
(\textcolor{green}{b_1} + 2\beta) \cdot (\textcolor{violet}{b_2} + 3\beta) \cdot (\textcolor{orange}{b_3} + 1\beta)

All Hail Polynomials

  • How do we prove the correctness of a set of equations?
\textcolor{gray}{0\cdot} x_1 + \textcolor{gray}{0\cdot}x_1 + \textcolor{gray}{1\cdot}(x_1x_1) \textcolor{gray}{-1\cdot}x_4 + \textcolor{gray}{0} = 0
\textcolor{gray}{1\cdot}x_4 + \textcolor{gray}{1\cdot}x_5 + \textcolor{gray}{0\cdot}(x_4x_5) \textcolor{gray}{-1\cdot}x_6 + \textcolor{gray}{0} = 0
\textcolor{gray}{0\cdot} x_2 + \textcolor{gray}{0\cdot}x_2 + \textcolor{gray}{1\cdot}(x_2x_2) \textcolor{gray}{-1\cdot}x_5 + \textcolor{gray}{0} = 0
\textcolor{gray}{0\cdot} x_3 + \textcolor{gray}{0\cdot}x_3 + \textcolor{gray}{1\cdot}(x_3x_3) \textcolor{gray}{-1\cdot}x_6 + \textcolor{gray}{0} = 0
\textcolor{gray}{q_l(X)}w_l(X) + \textcolor{gray}{q_r(X)}w_r(X) + \textcolor{gray}{q_m(X)}w_l(X)w_r(X) + \textcolor{gray}{q_o(X)}w_o(X) + \textcolor{gray}{q_c}(X) = 0
  • Gate constraints done! What about copy constraints?
\begin{bmatrix} \textcolor{orange}{a_1} \\ \textcolor{green}{a_2} \\ \textcolor{violet}{a_3} \end{bmatrix}
\begin{bmatrix} \textcolor{green}{b_1} \\ \textcolor{violet}{b_2} \\ \textcolor{orange}{b_3} \end{bmatrix}
(\textcolor{orange}{a_1} + 1\beta)\cdot(\textcolor{green}{a_2} + 2\beta)\cdot(\textcolor{violet}{a_2} + 3\beta) \ =
(\textcolor{green}{b_1} + 2\beta) \cdot (\textcolor{violet}{b_2} + 3\beta) \cdot (\textcolor{orange}{b_3} + 1\beta)

All Hail Polynomials

  • How do we prove the correctness of a set of equations?
\textcolor{gray}{0\cdot} x_1 + \textcolor{gray}{0\cdot}x_1 + \textcolor{gray}{1\cdot}(x_1x_1) \textcolor{gray}{-1\cdot}x_4 + \textcolor{gray}{0} = 0
\textcolor{gray}{1\cdot}x_4 + \textcolor{gray}{1\cdot}x_5 + \textcolor{gray}{0\cdot}(x_4x_5) \textcolor{gray}{-1\cdot}x_6 + \textcolor{gray}{0} = 0
\textcolor{gray}{0\cdot} x_2 + \textcolor{gray}{0\cdot}x_2 + \textcolor{gray}{1\cdot}(x_2x_2) \textcolor{gray}{-1\cdot}x_5 + \textcolor{gray}{0} = 0
\textcolor{gray}{0\cdot} x_3 + \textcolor{gray}{0\cdot}x_3 + \textcolor{gray}{1\cdot}(x_3x_3) \textcolor{gray}{-1\cdot}x_6 + \textcolor{gray}{0} = 0
\textcolor{gray}{q_l(X)}w_l(X) + \textcolor{gray}{q_r(X)}w_r(X) + \textcolor{gray}{q_m(X)}w_l(X)w_r(X) + \textcolor{gray}{q_o(X)}w_o(X) + \textcolor{gray}{q_c}(X) = 0
  • Gate constraints done! What about copy constraints?
\begin{bmatrix} \textcolor{orange}{a_1} \\ \textcolor{green}{a_2} \\ \textcolor{violet}{a_3} \end{bmatrix}
\begin{bmatrix} \textcolor{green}{b_1} \\ \textcolor{violet}{b_2} \\ \textcolor{orange}{b_3} \end{bmatrix}
(\textcolor{orange}{a_1} + 1\beta + \gamma)\cdot(\textcolor{green}{a_2} + 2\beta + \gamma)\cdot(\textcolor{violet}{a_2} + 3\beta + \gamma) \ =
(\textcolor{green}{b_1} + 2\beta + \gamma) \cdot (\textcolor{violet}{b_2} + 3\beta + \gamma) \cdot (\textcolor{orange}{b_3} + 1\beta + \gamma)

A Plonk Proof

  • A cryptographic proof that:

"I know the witness values \((x_1,x_2,x_3,x_4,x_5,x_6)\) such that they satisfy the circuit \(\mathbb{C}\)."

  • The proof size is constant, i.e. doesn't depend on the number of gates or witness.
  • The proof verification is also independent of the number of gates!
  • The proof computation depends linearly on the number of gates.

TurboPlonk

  • The gates can do more than just \(\textsf{add}\) and \(\textsf{multiply}\).
  • Using 4 wires instead of 3, we define custom gates for specific tasks

\(\texttt{ecc}\)

\(\in\)

  • TurboPlonk: more computation per gate \(\implies\) less number of total gates
  • As an example, the join-split circuit with TurboPlonk needs only 65,000 gates as compared to 707,000 using StandardPlonk
x \in \mathbb{F}_q \longrightarrow xG
x \in [0,2^m)
w_1
w_2
w_3
w_4
w_1
w_2
w_3
w_4

Summary

  • We tried to understand the how following parts of Plonk work
    • Gate constraints 
    • Copy constraints
    • Custom gates (TurboPlonk)
  • In the next part, we will cover:
    • Lookup tables
    • Plookup

Plonk Made Simple

By Suyash Bagad

Plonk Made Simple

High-level summary of how Aztec works.

  • 91

More from Suyash Bagad