Understand PLONK: The PLONK verifier

The PLONK (Permutations over Lagrange-bases for Oecumenical Noninteractive arguments of Knowledge) verification algorithm is a cornerstone of modern zk-SNARKs, enabling succinct, non-interactive proofs of arbitrary computations. In this blog, we’ll break down the PLONK verification algorithm step by step, demystifying its inner workings.

What is PLONK Verification?

At a high level, PLONK verification ensures that the proof generated by the prover is valid for a specific computation. The verifier performs various checks, leveraging cryptographic commitments and field operations to validate the integrity of the proof without needing to re-execute the computation.

Key Preliminaries

Before diving into the steps, let’s clarify the inputs and mathematical tools involved:
• Verifier Preprocessed Input:
Preprocessed elements include commitments to selector polynomials

[q M] 1, [q L] 1, [q R] 1, [q O] 1, [q C] 1

, permutation polynomials

[s σ 1] 1, [s σ 2] 1, [s σ 3] 1

, and a generator

x

.
• Proof Elements

(π_{S N A R K})

:
Contains commitments

[a] 1, [b] 1, [c] 1, [z] 1

and other elements such as

[t l o] 1, [t m i d] 1, [t h i] 1

, along with evaluations in the field

(\overset{―}{a}, \overset{―}{b}, \overset{―}{c}, \overset{―}{s σ 1}, \overset{―}{s σ 2}, z_{ω})

.
• Challenges

(β, γ, α, ζ, v, u)

:
Generated deterministically from the proof and public input.

Step-by-Step Breakdown

Validate Proof Components
The verifier starts by checking the structural validity of the proof elements:
• Ensure
$([a] 1, [b] 1, [c] 1, [z] 1, [t l o] 1, [t m i d] 1, [t h i] 1, [W z] 1, [W z ω] 1) \in G_{1}^{9}$ , where
$G_{1}$ is the elliptic curve group.
• Validate that field elements
$(\overset{―}{a}, \overset{―}{b}, \overset{―}{c}, \overset{―}{s σ 1}, \overset{―}{s σ 2}, z_{ω}) \in F^{6}$ .
• Confirm public inputs
$(w_{i})_{i \in [ℓ]} \in F^{ℓ}$ .
Compute Challenges
Challenges
$β, γ, α, ζ, v, u$ are derived from the proof, public inputs, and common reference string (CRS). These challenges provide randomness and ensure security.
Evaluate Polynomials
Several critical polynomial evaluations are computed:
• Zero Polynomial Evaluation:

$Z_{H} (z) = z^{n} - 1$
This polynomial vanishes on the roots of unity.
• Lagrange Polynomial Evaluation:

$L_{1} (z) = \frac{ω (z^{n - 1})}{n (z - ω)}$
Evaluates the first Lagrange polynomial at
$z$ .
• Public Input Polynomial:

$P I (z) = \sum_{i \in [ℓ]} w_{i} L_{i} (z)$
Construct r and Batch Polynomial Commitment
$[D] 1$
The verifier splits the r polynomial into constant and non-constant terms:
• Constant Term
$(r_{0})$ :

$r_{0} = P I (z) - L_{1} (z) α^{2} - α (\overset{―}{a} + β \overset{―}{s σ 1} + γ) (\overset{―}{b} + β \overset{―}{s σ 2} + γ) (\overset{―}{c} + γ) {\overset{―}{z}}_{ω}$
• Non-Constant Term:
Remaining terms of
$r (X)$ are grouped into the batched polynomial commitment:

$[D] 1 = \overset{―}{a} \overset{―}{b} \cdot [q M] 1 + \overset{―}{a} \cdot [q L] 1 + \overset{―}{b} \cdot [q R] 1 + \overset{―}{c} \cdot [q O] 1 + [q C] 1 + (other terms)$
Compute Full Batched Polynomial Commitment
$[F] 1$
The verifier aggregates polynomial commitments into a single point
$[F] 1$ , incorporating proof elements and field challenges:

$[F] 1 = [D] 1 + v \cdot [a] 1 + v^{2} \cdot [b] 1 + v^{3} \cdot [c] 1 + v^{4} \cdot [s σ 1] 1 + v^{5} \cdot [s σ 2] 1$
Group-Encoded Batch Evaluation
$[E] 1$
The verifier encodes batch evaluations into another group element:

$[E] 1 = (- r_{0} + v \overset{―}{a} + v^{2} \overset{―}{b} + v^{3} \overset{―}{c} + v^{4} \overset{―}{s σ 1} + v^{5} \overset{―}{s σ 2} + u {\overset{―}{z}}_{ω}) \cdot [1] 1$
Pairing Check
The final validation step involves pairing-based checks. The verifier ensures:

$e ([W z] 1 + u \cdot [W z ω] 1, [x] 2) = e (z \cdot [W z] 1 + u {\overset{―}{z}}_{ω} \cdot [W z ω] 1 + [F] 1 - [E] 1, [1] 2)$
This pairing equation confirms the consistency of all evaluations.

Why PLONK Verification is Efficient

• Batched Evaluations: Combines multiple checks into a single equation, reducing computation.
• Scalability: Independent of circuit size, making it ideal for large computations.
• Zero-Knowledge: The verifier learns nothing beyond the validity of the proof.

The PLONK verification algorithm showcases the power of cryptographic techniques to enable succinct and efficient proofs. By leveraging polynomial commitments, batched evaluations, and pairings, PLONK provides a secure, scalable solution for validating computations in zk-SNARKs. Understanding this algorithm not only deepens our appreciation for modern cryptography but also paves the way for exploring advanced applications in decentralized systems.

Understand PLONK: The PLONK verifier

What is PLONK Verification?

Key Preliminaries

Step-by-Step Breakdown

Why PLONK Verification is Efficient

Read more

Math: Explaining polynomial-based equality checks

Building the RISC-V VM

Understand PLONK: The PLONK Prover

EIP2771 Gasless Relayer