Plonk Optimisations

Aztec Study Club - Session 9

11th May 2022

Plonk Constraints

\textcolor{gray}{2.} a_1 \textcolor{gray}{+3.}b_1 \textcolor{gray}{+1.}c_1 \textcolor{gray}{-1.}d_1 \textcolor{gray}{+5} = 0

\textcolor{gray}{0.} a_3 \textcolor{gray}{+0.}b_3 \textcolor{gray}{+1.}a_3b_3 \textcolor{gray}{-1.}c_3 \textcolor{gray}{+0} = 0

(a_i,b_i) \ \textcolor{grey}{+_{\text{ecc}}} \ (c_i, d_i) = (a_{i+1},b_{i+1})

\textsf{ecc gate}:

\underbrace{\hspace{2cm}}

StandardPlonk

\underbrace{\hspace{1cm}}

TurboPlonk

\textsf{a}

\textsf{b}

\textsf{c}

\textsf{d}

a_1

b_1

c_1

d_1

a_2

b_2

c_2

d_2

a_3

b_3

c_3

d_3

\vdots

a_{i}

b_{i}

c_{i}

d_{i}

i+1

a_{i+1}

b_{i+1}

c_{i+1}

d_{i+1}

\vdots

n-1

a_{n-1}

b_{n-1}

c_{n-1}

d_{n-1}

a_{n}

b_{n}

c_{n}

d_{n}

\textsf{add gate}:

\textsf{mult gate}:

Width = \(4\)

Circuit size = \(n\)

c_1 = a_i,

d_2 = b_i,

a_{i+1} = c_{n-1},

b_{i+1} = d_{n-1},

\underbrace{\hspace{1cm}}

Copy constraints

Cell-wise permutation

Plonk Costs

\textsf{a}

\textsf{b}

\textsf{c}

\textsf{d}

a_1

b_1

c_1

d_1

a_2

b_2

c_2

d_2

a_3

b_3

c_3

d_3

\vdots

a_{i}

b_{i}

c_{i}

d_{i}

i+1

a_{i+1}

b_{i+1}

c_{i+1}

d_{i+1}

\vdots

n-1

a_{n-1}

b_{n-1}

c_{n-1}

d_{n-1}

a_{n}

b_{n}

c_{n}

d_{n}

Width = \(4\)

Circuit size = \(n\)

\textsf{Multi-scalar Multiplication}:

W_a = a'_1 * \textcolor{gray}{\textsf{srs}_1} \ + \ a'_2 * \textcolor{gray}{\textsf{srs}_2} \ + \ \dots \ + \ a'_n * \textcolor{gray}{\textsf{srs}_n}

W_b = b'_1 * \textcolor{gray}{\textsf{srs}_1} \ + \ b'_2 * \textcolor{gray}{\textsf{srs}_2} \ + \ \dots \ + \ b'_n * \textcolor{gray}{\textsf{srs}_n}

W_c = c'_1 * \textcolor{gray}{\textsf{srs}_1} \ + \ c'_2 * \textcolor{gray}{\textsf{srs}_2} \ + \ \dots \ + \ c'_n * \textcolor{gray}{\textsf{srs}_n}

W_d = d'_1 * \textcolor{gray}{\textsf{srs}_1} \ + \ d'_2 * \textcolor{gray}{\textsf{srs}_2} \ + \ \dots \ + \ d'_n * \textcolor{gray}{\textsf{srs}_n}

\textsf{Fast Fourier Transforms}:

\(x\)

\(y\)

w_a(X) = a'_1 + a'_2 X + a'_3 X^2 + \dots + a'_n X^{n-1}

\textsf{Evaluations} \xrightarrow{\textcolor{violet}{\text{FFT}}} \textsf{Coefficients}

\(1\)

\(\omega\)

\(\omega^2\)

\(\omega^4\)

\(\omega^5\)

\(\omega^6\)

\(\omega^7\)

\(\omega^3\)

a_3

a_8

a_2

a_4

a_7

a_5

a_6

a_1

Plonk Optimisations

\textsf{a}

\textsf{b}

\textsf{c}

\textsf{d}

a_1

b_1

c_1

d_1

a_2

b_2

c_2

d_2

a_3

b_3

c_3

d_3

\vdots

a_{i}

b_{i}

c_{i}

d_{i}

i+1

a_{i+1}

b_{i+1}

c_{i+1}

d_{i+1}

\vdots

n-1

a_{n-1}

b_{n-1}

c_{n-1}

d_{n-1}

a_{n}

b_{n}

c_{n}

d_{n}

Width = \(4\)

Circuit size = \(n\)

Prover work of any zk-SNARK is primarily: FFTs and MSMs
FFTs are \(\mathcal{O}(n \ \text{log}(n))\)
MSMs are \(\mathcal{O}(n / \text{log}(n))\)
But a single MSM is \(\approx 5\times\) more expensive than an FFT
How do we optimise prover costs?
- Simple! Reduce the circuit size \(n\)
- TurboPLONK: custom gate to do complex operations more than just addition and multiplication
- UltraPLONK: use lookup tables to efficiently do bitwise operations
- Honk teaser: can we get rid of FFTs completely? 😉

Plonk Optimisations ft. ZCash

\textsf{a}

\textsf{b}

\textsf{c}

\textsf{d}

a_1

b_1

c_1

d_1

a_2

b_2

c_2

d_2

a_3

b_3

c_3

d_3

\vdots

a_{i}

b_{i}

c_{i}

d_{i}

i+1

a_{i+1}

b_{i+1}

c_{i+1}

d_{i+1}

\vdots

n-1

a_{n-1}

b_{n-1}

c_{n-1}

d_{n-1}

a_{n}

b_{n}

c_{n}

d_{n}

Width = \(4\)

Circuit size = \(n\)

TurboPLONK means more computation per gate
This means fewer total number of gates!
On the same lines, can we increase the width?

Plonk Optimisations ft. ZCash

\textsf{a}

\textsf{b}

\textsf{c}

\textsf{d}

a_1

b_1

c_1

d_1

a_2

b_2

c_2

d_2

a_3

b_3

c_3

d_3

\vdots

a_{i}

b_{i}

c_{i}

d_{i}

i+1

a_{i+1}

b_{i+1}

c_{i+1}

d_{i+1}

\vdots

n-1

a_{n-1}

b_{n-1}

c_{n-1}

d_{n-1}

a_{n}

b_{n}

c_{n}

d_{n}

Width = \(4\)

Circuit size = \(n\)

TurboPLONK means more computation per gate
This means fewer total number of gates!
On the same lines, can we increase the width?

\textsf{e}

\textsf{f}

Plonk Optimisations ft. ZCash

\textsf{a}

\textsf{b}

\textsf{c}

\textsf{d}

a_1

b_1

c_1

d_1

a_2

b_2

c_2

d_2

a_3

b_3

c_3

d_3

\vdots

a_{i}

b_{i}

c_{i}

d_{i}

i+1

a_{i+1}

b_{i+1}

c_{i+1}

d_{i+1}

\vdots

n-1

a_{n-1}

b_{n-1}

c_{n-1}

d_{n-1}

a_{n}

b_{n}

c_{n}

d_{n}

Width = \(6\)

Circuit size = \(n\)

TurboPLONK means more computation per gate
This means fewer total number of gates!
On the same lines, can we increase the width?

\textsf{e}

\textsf{f}

Plonk Optimisations ft. ZCash

\textsf{a}

\textsf{b}

\textsf{c}

\textsf{d}

a_1

b_1

c_1

d_1

a_2

b_2

c_2

d_2

a_3

b_3

c_3

d_3

\vdots

a_{i}

b_{i}

c_{i}

d_{i}

i+1

a_{i+1}

b_{i+1}

c_{i+1}

d_{i+1}

\vdots

Width = \(6\)

Circuit size = \(n' < n\)

TurboPLONK means more computation per gate
This means fewer total number of gates!
On the same lines, can we increase the width?
- Indeed, increasing width reduces circuit size!
- Wait, what's the tradeoff?