Protocol
Details and tricks
Polynomial commitment scheme
A polynomial commitment scheme (PCS) is a cryptographic tool that allows one party to commit to a polynomial, and later prove properties of that polynomial. This commitment polynomial hides the original polynomial's coefficients and can be publicly shared without revealing any information about the original polynomial. Later, the party can use the commitment to prove certain properties of the polynomial, such as that it satisfies certain constraints or that it evaluates to a certain value at a specific point.
In the implementation section we'll explain the inner workings of the Kate-Zaverucha-Goldberg scheme, a popular PCS chosen in Lambdaworks for PLONK.
For the moment we only need the following about it:
It consists of a finite group and the following algorithms:
- Commit(): This algorithm takes a polynomial and produces an element of the group . It is called the commitment of and is denoted by . It is homomorphic in the sense that . The former sum being addition of polynomials. The latter is addition in the group .
- Open(,): It takes a polynomial and a field element and produces an element of the group . This element is called an opening proof for . It is the proof that evaluated at gives .
- Verify(, , , ): It takes group elements and , and also field elements and . With overwhelming probability it outputs Accept if and Reject otherwise.
Blindings
As you will see in the protocol, the prover reveals the value taken by a bunch of the polynomials at a random . In order for the protocol to be Honest Verifier Zero Knowledge, these polynomials need to be blinded. This is a process that makes the values of these polynomials at seemingly random by forcing them to be of certain degree. Here's how it works.
Let's take for example the polynomial the prover constructs. This is the interpolation of the first column of the trace matrix at the domain . This matrix has all of the left operands of all the gates. The prover wishes to keep them secret. Say the trace matrix has rows. And so is . The invariant that the prover cannot violate is that must take the value , for all . This is what the interpolation polynomial satisfies. And is the unique such polynomial of degree at most with such property. But for higher degrees, there are many such polynomials.
The blinding process takes and a desired degree , and produces a new polynomial of degree exactly . This new polynomial satisfies that for all . But outside differs from .
This may seem hard but it's actually very simple. Let be the polynomial . If , with , then sample random values and define
The reason why this does the job is that for all . Therefore the added term vanishes at and leaves the values of at unchanged.
Linearization trick
This is an optimization in PLONK to reduce the number of checks of the verifier.
One of the main checks in PLONK boils down to check that , with some polynomial that looks like , and so on. In particular the verifier needs to get the value from somewhere.
For the sake of simplicity, in this section assume is exactly . Secret to the prover here are only . The polynomials and are known also to the verifier. The verifier will already have the commitments and . So the prover could send just , along with their opening proofs and let the verifier compute by himself and . Then with all these values the verifier could compute . And also use his commitments to validate the opening proofs of and .
This has the problem that computing and is expensive. The prover can instead save the verifier this by sending also along with opening proofs. Since the verifier will have the commitments and beforehand, he can check that the prover is not cheating and cheaply be convinced that the claimed values are actually and . This is much better. It involves the check of four opening proofs and the computation of off the values received from the prover. But it can be further improved as follows.
As before, the prover sends along with their opening proofs. She constructs the polynomial . She sends the value along with an opening proof of it. Notice that the value of is exactly . The verifier can compute by himself as . The verifier has everything to check all three openings and get convinced that the claimed value is true. And this value is actually . So this means no more work for the verifier. And the whole thing got reduced to three openings.
This is called the linearization trick. The polynomial is called the linearization of .
Setup
There's a one time setup phase to compute some values common to any execution and proof of the particular circuit. Precisely, the following commitments are computed and published.
Proving algorithm
Next we describe the proving algorithm for a program of size . That includes public inputs. Let be a primitive -th root of unity. Let . Define .
Assume the eight polynomials of common preprocessed input are already given.
The prover computes the trace matrix as described in the first sections. That means, with the first rows corresponding to the public inputs. It should be a matrix.
Round 1
Add to the transcript the following:
Compute polynomials as the interpolation polynomials of the columns of at the domain . Sample random Let
Compute and add them to the transcript.
Round 2
Sample from the transcript.
Let and define recursively for .
Compute the polynomial as the interpolation polynomial at the domain of the values .
Sample random values and let .
Compute and add it to the transcript.
Round 3
Sample from the transcript.
Let be the interpolation of the public input matrix at the domain .
Let
and define . Compute such that . Write with and polynomials of degree at most .
Sample random and define
Compute and add them to the transcript.
Round 4
Sample from the transcript.
Compute and add them to the transcript.
Round 5
Sample from the transcript.
Let
Define
The subscript stands for "non constant", as is the part of the linearization of that has non constant factors. The subscript "partial" indicates that it is a partial evaluation of at . Partial meaning that only some power of ar replaced by the powers of . So in particular .
Let be the opening proof at of the polynomial defined as
Let be the opening proof at of the polynomial .
Compute and .
Proof
The proof is:
Verification algorithm
Transcript initialization
The first step is to initialize the transcript in the same way the prover did, adding to it the following elements.
Extraction of values and commitments
Challenges
Firstly, the verifier needs to compute all the challenges. For that, he follows these steps:
- Add to the transcript.
- Sample two challenges .
- Add to the transcript.
- Sample a challenge .
- Add to the transcript.
- Sample a challenge .
- Add to the transcript.
- Sample a challenge .
Compute
Also he needs compute a few values off all these data. First, he computes the matrix with the public inputs and outputs. He needs to compute , where is the interpolation of at the domain . But he doesn't need to compute . He can instead compute as where is the number of public inputs and is the Lagrange basis at the domain .
Compute claimed values and
He computes
This is the constant part of the linearization of . So adding it to what the prover claims to be , he obtains
With respect to , this is actually already .
Compute and
He computes these off the commitments in the proof as follows
For , first compute
Then .
Compute claimed value and
Compute as
Also, the commitment of the polynomial is
Proof check
Now the verifier has all the necessary values to proceed with the checks.
- Check that equals .
- Verify the opening of at . That is, check that outputs Accept.
- Verify the opening of at . That is, check the validity of the proof using the commitment and the value . That is, check that outputs Accept.
If all checks pass, he outputs Accept. Otherwise outputs Reject.