At the heart of the PLONK protocol lies one of its most fascinating components: the prover. After the universal trusted setup and the arithmetic representation of our computation, the prover takes center stage in constructing a convincing zero-knowledge proof that will persuade the verifier without revealing any sensitive information.
The prover's role in PLONK represents a remarkable achievement in zero-knowledge proof systems, offering a delicate balance between efficiency and security. Unlike its predecessors, PLONK's prover leverages the protocol's universal preprocessing to generate proofs that are both compact and computationally efficient, while maintaining the critical property of zero-knowledge.
The PLONK prover is broken down into rounds and using this rounds, we would be understanding how the PLONK proof is genearted;
As the protocol progresses, we would be creating some polynomials and also for polynomial mathematical relationships which would be examine and sealed(polynomail commitment schemes) to be used to create the PLONK protocol's Proof
.
Recall: CommonPreprocessedInput
{
Objective
This round aims to create the polynomials
Procedure
The first round of the PLONK protocol tells us how to;
Transcript
with some circuit binding vaules, this is to improve soundness of the protocol (CommonPreprocessedInput
).blinding_factor
. (Commit
to polynomial Mathematical translation;
poly-commit
Objective
To enforce consistency across shared wires in the circuit using a permutation argument.
Procedure
Round One
.Mathematical translation;
poly_commit(z) =
Objective
Round three, been the most complicated and computationaly intensed round, the goal that is to be achieved is to create a poolynomial
A clever solution to handle this, is to break the polynomail in 3 before commiting to the polynomial.
Procedure
Mathematical translation
The polynomial
where
Random scalars
This ensures that:
The prover commits to the split polynomials:
Objective
In the previous rounds we have obtained a good amount of polynomials, operations over polynomials are not very computationally friendly, to make this more efficient, we would be reducing this polynomial to a Scalar Field element which is significantly more cheaper.
Procedure
obtain
The prover computes the evaluations of various polynomials at
Polynomials and Their Evaluations:
The prover outputs the following evaluations:
Objective
This is the last stage of PLONK's proof generation algorithm, what would be done here is to create 2 polynomials that combines all other polynomaials that has been obtain in other rounds also making use of the optimization we explored in round 4.
Procedure
The linearisation polynomial
To prove consistency between committed polynomials and their evaluations, the prover computes two opening proof polynomials:
Opening Proof Polynomial
Shifted Opening Proof Polynomial
The prover commits to these polynomials:
The final proof output by the prover is:
The multipoint evaluation challenge u is derived for subsequent verification:
obtain
This ensures randomness and ties the evaluations to the transcript’s integrity.
The PLONK prover exemplifies the brilliance of modern zero-knowledge proof systems, transforming abstract mathematical principles into a robust, efficient protocol. Through its structured rounds, the prover ensures that the commitments, constraints, and evaluations are securely generated, maintaining the balance between computational feasibility and cryptographic soundness. By leveraging techniques such as polynomial commitments, blinding, and linearization, the prover creates a succinct proof that encapsulates the circuit’s correctness without revealing any sensitive details.
This step-by-step breakdown of the PLONK prover highlights not only the ingenuity of its design but also the elegance of how its components work together. From initializing the transcript to generating the final proof, each stage contributes to the protocol’s goal of scalability and universality, paving the way for a wide range of real-world applications in privacy-preserving computations and decentralized systems.