FFlonk Comments and Optimizations

(Optimized) PCS of ShPlonk

This PCS is composed by the following algorithms:

$g e n (d)$ . The generator algorithm outputs
$s r s = ([1]_{1}, [x]_{1}, [x^{2}]_{1}, \dots, [x^{d - 1}]_{1}, [1]_{2}, [x]_{2})$ for a random (and secret)
$x \in F$ .
$c o m (f_{i})$ . Given a polynomial
$f_{i} \in F_{< d} [X]$ , the committer algorithm outputs
$[f_{i} (x)]_{1}$ .
$o p e n ({c m_{i}}_{k}, {S_{i}}_{k}, {r_{i}}_{k}; {f_{i}}_{k})$ . The opening algorithm works as follows, where
$k$ is the number of committed polynomials,
${c m_{i}}_{k}$ are the alleged commitments to
${f_{i}}_{k}$ ,
$T = {z_{1}, \dots, z_{t}}$ is the set of opening points,
${S_{i}}_{k}$ is the opening set for the
$i$ -th polynomial, and
${r_{i}}_{k}$ are the polynomials interpolating the alleged the openings. Assume for simplicity that
$k = 2$ and that
$S_{1} = {z_{1}}$ and
$S_{2} = {z_{2}}$ .
1. V sends a random challenge
  $γ \in F$ .
2. P sends
  $W = [(f / Z_{T}) (x)]_{1}$ , where:
  $f (X) = (X - z_{2}) (f_{1} (X) - r_{1} (X)) + γ (X - z_{1}) (f_{2} (X) - r_{2} (X)) .$ In the normal batched KZG, V would stop here and simply use pairings to check the correctness. In ShPlonk, however, there is one extra round to reduce verifier complexity.
3. V sends a random evaluation point
  $z \in F$ .
4. P sends
  $W^{'} = {[\frac{L (x)}{(z - z_{2}) (x - z)}]}_{1}$ , where:
  $L (X) = (z - z_{2}) (f_{1} (X) - r_{1} (z)) + γ (z - z_{1}) (f_{2} (X) - r_{2} (z)) - Z_{T} (z) \frac{f (X)}{Z_{T} (X)} .$ This protocol improves the original shPlonk, by one verifier scalar multiplication, by normalizing the definition of
  $L$ dividing it by
  $(z - z_{2})$ . Notice that
  $L (z) = f (z) - f (z) = 0$ .
5. TOFINISH. verifier check

PCS of Fflonk

This PCS differs from the previous one in that the commitment to a set of polynomials

f_{i} \in F_{< d} [X]

, is carried on by computing the polynomial:

g (X) = f_{1} (X^{t}) + f_{2} (X^{t}) X + \dots + f_{t} (X^{t}) X^{t - 1},

and outputting

[g (x)]_{1}

One Vector of Polynomials and One Evaluation Point

Assume

z = h^{t}

Then, to open

f_{1}, \dots, f_{t}

{f_{1} (z), \dots, f_{t} (z)}

, open

g

{h, h ω, h ω^{2}, \dots, h ω^{t - 1}}

, where

ω

is a primitive

t

-th root of unity. To this end, compute the following two sets:

\begin{array}{r} {\bar{Z}}^{'} = r o o t s_{t} (z) = {h, h ω, \dots, h ω^{t - 1}}, \\ \bar{S} = {f_{1} (z), f_{2} (z), \dots, f_{t} (z)}, \end{array}

and compute the set:

{\bar{S}}^{'} = \bar{S} ({\bar{Z}}^{'}) = {f_{1} (z) + f_{2} (z) h + \dots + f_{t} (z) h^{t - 1}, \dots, f_{1} (z) + f_{2} (z) h ω + \dots + f_{t} (z) (h ω)^{t - 1}}

and notice that

{\bar{S}}^{'} = {g (h), g (h ω), \dots, g (h ω^{t - 1})}

Finally, engage in the

o p e n (c m, {\bar{Z}}^{'}, {\bar{S}}^{'}; g)

protocol.

One Vector of Polynomials and Multiple Evaluation Points

Assume

z_{1} = h_{1}^{t}, \dots, z_{k} = h_{k}^{t}

. Then, basically run the previous protocol on each of the evaluations points.

Then, to open

f_{1}, \dots, f_{t}

{[f_{1} (z_{1}), f_{2} (z_{1}), \dots, f_{t} (z_{1})], \dots, [f_{1} (z_{k}), f_{2} (z_{k}), \dots, f_{t} (z_{k})]}

, open

g

{[h_{1}, h_{1} ω, \dots, h_{1} ω^{t - 1}], \dots, [h_{k}, h_{k} ω, \dots, h_{k} ω^{t - 1}]}

, where

ω

is a primitive

t

-th root of unity. To this end, compute the following two sets:

\begin{array}{r} {\bar{Z}}^{'} = r o o t s_{t} (z) = {[h_{1}, h_{1} ω, \dots, h_{1} ω^{t - 1}], \dots, [h_{k}, h_{k} ω, \dots, h_{k} ω^{t - 1}]}, \\ \bar{S} = {[f_{1} (z_{1}), f_{2} (z_{1}), \dots, f_{t} (z_{1})], \dots, [f_{1} (z_{k}), f_{2} (z_{k}), \dots, f_{t} (z_{k})]}, \end{array}

and compute the set

{\bar{S}}^{'} = {[g (h_{1}), g (h_{1} ω), \dots, g (h_{1} ω^{t - 1})], \dots, [g (h_{k}), g (h_{k} ω), \dots, g (h_{k} ω^{t - 1})]}

Finally, engage in the

o p e n (c m, {\bar{Z}}^{'}, {\bar{S}}^{'}; g)

protocol.

Multiple Vectors of Polynomials and Multiple Evaluation Points

Generalize the previous protocol and engage in the

o p e n ({c m_{i}}, {\bar{Z}}^{'}, {\bar{S}}^{'}; {g_{i}})

protocol. I don't write it to avoid crazy notation, but this is the one applied in the following section.

Adding Zero-Knowledge (with Dummy Gates)

In the PlonK paper, in the order for the protocol to be zero-knowledge, the authors add to some witness-related polynomial a blinding polynomial

b \in F [X]

as follows:

a (X) := b (X) Z_{H} (X) + \sum_{i = 1}^{n} w_{i} L_{i} (X) .

To guarantee zero-knowledge, the degree of this polynomial should be at least equal to the number of revealed evaluations of

a

that the prover sends to the verifier in the opening phase of the KZG commitment scheme. This strategy ends up defining polynomials with degree

n + \deg (b)

, which is inefficient for practical scenarios in which

n

is a power of two.

To avoid this issue, we proceed as follows. From now on, let

m

be the circuit size (that is, the number of gates) and let

n

be the closest power of two such that

n \geq m + 4

Wiring Polynomials

We add zero-knowledge to the wiring polynomials

a, b, c

by sampling blinding factors

b_{1}, \dots, b_{6} \in F

and defining:

\begin{aligned} a (X) & := \sum_{i = 1}^{m} w_{i} L_{i} (X) + b_{1} L_{m + 1} (X) + b_{2} L_{m + 2} (X), \\ b (X) & := \sum_{i = 1}^{m} w_{m + i} L_{i} (X) + b_{3} L_{m + 1} (X) + b_{4} L_{m + 2} (X), \\ c (X) & := \sum_{i = 1}^{m} w_{2 m + i} L_{i} (X) + b_{5} L_{m + 1} (X) + b_{6} L_{m + 2} (X), \end{aligned}

where note that

a (ω^{i}) = b (ω^{i}) = c (ω^{i}) = 0

for all

i \in {m + 3, m + 4, \dots, n}

. In essence, we are adding dummy gates that will be satisfied by definition and not because of the circuit.

Now, let's look at the satisfiability of the following constraint, for each

x \in H

q_{L} (x) a (x) + q_{R} (x) b (x) + q_{O} (x) c (x) + q_{M} (x) a (x) b (x) + q_{C} (x) + P I (x) = 0

For
$i = 1, \dots, m$ the constraint is satisfied if the associated values satisfy the given circuit. In fact, we can safely assume that the number of public inputs is lower than
$m$ , so the public input polynomial
$P I$ evaluates to
$0$ in the forthcoming cases.
For
$i = m + 1$ the constraint becomes:

$q_{L} (ω^{m + 1}) b_{1} + q_{R} (ω^{m + 1}) b_{3} + q_{O} (ω^{m + 1}) b_{5} + q_{M} (ω^{m + 1}) b_{1} \cdot b_{3} + q_{C} (ω^{m + 1}) = 0,$
which is satisfied by setting all the selectors equal to
$0$ at
$ω^{m + 1}$ . The same happens in the case
$i = m + 2$ .
For
$i = m + 3, \dots, n$ we simply set
$q_{C} (ω^{i}) = 0$ . Notice that while the rest of the selectors could evaluate to any value from
$F$ (without affecting the soundness of the protocol), so we set them to
$0$ for simplicity of the exposition.

To summary, the only change we have to do with respect to the original protocol is to define the selector polynomials as follows:

\begin{matrix} q_{L} (X) = \sum_{i = 1}^{m} q_{L_{i}} L_{i} (X), q_{R} (X) = \sum_{i = 1}^{m} q_{R_{i}} L_{i} (X), q_{O} (X) = \sum_{i = 1}^{m} q_{O_{i}} L_{i} (X), \\ q_{M} (X) = \sum_{i = 1}^{m} q_{M_{i}} L_{i} (X), q_{C} (X) = \sum_{i = 1}^{m} q_{C_{i}} L_{i} (X) . \end{matrix}

Grand-Product Polynomial

We add zero-knowledge to the grand-product polynomial

z

by sampling blinding factors

b_{7}, b_{8}, b_{9} \in F

and defining:

\begin{aligned} z (X) := & L_{1} (X) + \sum_{i = 1}^{m - 1} (L_{i + 1} (X) \prod_{j = 1}^{i} \frac{(w_{j} + β ω^{j} + γ) (w_{m + j} + β k_{1} ω^{j} + γ) (w_{2 m + j} + β k_{2} ω^{j} + γ)}{(w_{j} + β σ^{*} (j) + γ) (w_{m + j} + β σ^{*} (m + j) + γ) (w_{2 m + j} + β σ^{*} (2 m + j) + γ)}) \\ + L_{m + 1} (X) + b_{7} L_{m + 2} (X) + b_{8} L_{m + 3} (X) + b_{9} L_{m + 4} (X) + \sum_{i = m + 5}^{n} L_{i} (X) . \end{aligned}

Now, let's look at the satisfiability of the following constraint, for each

x \in H

\begin{aligned} (a (x) + β x + γ) (b (x) + β k_{1} x + γ) (c (x) + β k_{2} x + γ) z (x) \\ - (a (x) + β S_{σ_{1}} (x) + γ) (b (x) + β S_{σ_{2}} (x) + γ) (c (x) + β S_{σ_{3}} (x) + γ) z (x ω) = 0. \end{aligned}

For
$i = 1, \dots, m$ the constraints is satisfied if the
$z$ polynomial is correctly constructed.
For
$i = m + 1$ the constraint becomes:

$\begin{aligned} (b_{1} + β ω^{m + 1} + γ) (b_{3} + β k_{1} ω^{m + 1} + γ) (b_{5} + β k_{2} ω^{m + 1} + γ) \\ - (b_{1} + β S_{σ_{1}} (ω^{m + 1}) + γ) (b_{3} + β S_{σ_{2}} (ω^{m + 1}) + γ) (b_{5} + β S_{σ_{3}} (ω^{m + 1}) + γ) b_{7} = 0, \end{aligned}$
which is not satisfied with overwhelming probability. Consequently, we should multiply both sides of the constraint by
$(x - ω^{m + 1})$ . The same goes for the cases
$i = m + 2, i = m + 3$ and
$i = m + 4$ , so we also multiply by
$(x - ω^{m + 2}), (x - ω^{m + 3})$ and
$(x - ω^{m + 4})$ as well.
For
$i = m + 5, \dots, n$ the constraint turns out to be:

$\begin{array}{r} (β ω^{i} + γ) (β k_{1} ω^{i} + γ) (β k_{2} ω^{i} + γ) - (β S_{σ_{1}} (ω^{i}) + γ) (β S_{σ_{2}} (ω^{i}) + γ) (β S_{σ_{3}} (ω^{i}) + γ) = 0, \end{array}$
which is satisfied by setting
$S_{σ_{1}} (ω^{i}) = ω^{i}, S_{σ_{2}} (ω^{i}) = k_{1} ω^{i}$ and
$S_{σ_{3}} (ω^{i}) = k_{2} ω^{i}$ , i.e., the permutation
$σ^{*}$ acts like the identity function for
$i \in {m + 5, \dots, n}$ .

Moreover, we should add a constraint attesting that

z

is equal to one at

ω^{m + 1}

(since this is the point in which the "real" gates ends). Finally, notice that the

S_{σ_{1}}, S_{σ_{2}}, S_{σ_{3}}

could evaluate to any value from

F

(without affecting the soundness of the protocol) for

i = m + 1, \dots, m + 4

, so we set them to

1

for simplicity in their definition.

To summary, we must have to perform two changes. First, the new constraints of

Z

become:

\begin{aligned} L_{1} (X) (z (X) - 1)) = 0, \\ [(a (X) + β X + γ) (b (X) + β k_{1} X + γ) (c (X) + β k_{2} X + γ) z (X) \\ - (a (X) + β S_{σ_{1}} (X) + γ) (b (X) + β S_{σ_{2}} (X) + γ) (c (X) + β S_{σ_{3}} (X) + γ) z (X ω)] \\ (X - ω^{m + 1}) (X - ω^{m + 2}) (X - ω^{m + 3}) (X - ω^{m + 4}) = 0, \\ L_{m + 1} (X) (z (X) - 1)) = 0. \end{aligned}

Second, we define the sigma polynomials as follows:

\begin{matrix} S_{σ_{1}} (X) = \sum_{i = 1}^{m} σ^{*} (i) L_{i} (X) + \sum_{i = m + 1}^{n} ω^{i} L_{i} (X), S_{σ_{2}} (X) = \sum_{i = 1}^{m} σ^{*} (m + i) L_{i} (X) + \sum_{i = m + 1}^{n} k_{1} ω^{i} L_{i} (X), \\ S_{σ_{3}} (X) = \sum_{i = 1}^{m} σ^{*} (2 m + i) L_{i} (X) + \sum_{i = m + 1}^{n} k_{2} ω^{i} L_{i} (X) . \end{matrix}

Lagrange Polynomials

Keep in mind that Lagrange polynomials are different if points in which they are evaluated are distinct. For example, the Lagrange polynomial for

H

satisfies, for

i \in [n]

L_{i} (x) = {\begin{cases} 1 & if x = ω^{i - 1} \\ 0 & if x = ω^{j}, j \neq i - 1 \end{cases}

and moreover

L_{i}

is a polynomial of degree

n - 1

In contrast, the Lagrange polynomial

L_{i}^{(S_{0})}

satisfies, for

i \in [8]

L_{i}^{(S_{0})} (x) = {\begin{cases} 1 & if x = h_{0} ω_{8}^{i - 1} \\ 0 & if x = h_{0} ω_{8}^{j}, j \neq i - 1 \end{cases}

the Lagrange polynomial

L_{i}^{(S_{1})}

satisfies, for

i \in [4]

L_{i}^{(S_{1})} (x) = {\begin{cases} 1 & if x = h_{1} ω_{4}^{i - 1} \\ 0 & if x = h_{1} ω_{4}^{j}, j \neq i - 1 \end{cases}

and the Lagrange polynomial

L_{i}^{(S_{2})}

satisfies, for

i \in {1, 2, 3}

and

j \in {4, 5, 6}

\begin{array}{cc} L_{i}^{(S_{2})} (x) = {\begin{cases} 1 & if x = h_{2} ω_{3}^{i - 1} \\ 0 & otherwise \end{cases} & L_{j}^{(S_{2})} (x) = {\begin{cases} 1 & if x = h_{3} ω_{3}^{j - 1} \\ 0 & otherwise \end{cases} \end{array}

or more explicitly:

\begin{matrix} L_{i} (X) := \frac{ω^{i - 1}}{n} \frac{X^{n} - 1}{X - ω^{i - 1}}, \\ L_{i}^{(S_{0})} (X) := \frac{ω_{8}^{i - 1}}{8 h_{0}^{7}} \cdot \frac{X^{8} - h_{0}^{8}}{(X - h_{0} ω_{8}^{i - 1})}, \\ L_{i}^{(S_{1})} (X) := \frac{ω_{4}^{i - 1}}{4 h_{1}^{3}} \cdot \frac{X^{4} - h_{1}^{4}}{(X - h_{1} ω_{4}^{i - 1})}, \\ L_{i}^{(S_{2})} (X) := \frac{ω_{3}^{i - 1}}{3 h_{2}^{5} - 3 h_{3}^{3} h_{2}^{2}} \cdot \frac{X^{6} - (h_{2}^{3} + h_{3}^{3}) X^{3} + h_{2}^{3} h_{3}^{3}}{(X - h_{2} ω_{3}^{i - 1})}, \\ L_{j}^{(S_{2})} (X) := \frac{ω_{3}^{j - 1}}{3 h_{3}^{5} - 3 h_{2}^{3} h_{3}^{2}} \cdot \frac{X^{6} - (h_{2}^{3} + h_{3}^{3}) X^{3} + h_{2}^{3} h_{3}^{3}}{(X - h_{3} ω_{3}^{j - 1})} . \end{matrix}

Division by a Polynomial of the form
$X^{m} - β$

Given a polynomial

p (X) = a_{d} X^{d} + \dots + a_{1} X + a_{0} \in F [X]

of degree

d

at least

m

and a field element

β

, the quotient of the division

p (X) / (X^{m} - β)

is the polynomial:

\begin{aligned} q (X) := & a_{d} X^{d - m} + a_{d - 1} X^{(d - 1) - m} + \dots + a_{d - (m - 1)} X^{(d - (m - 1)) - m} + \\ + (a_{d - m} + a_{d} \cdot β) X^{(d - m) - m} + \dots + (a_{d - (2 m - 1)} + a_{d - (m - 1)} \cdot β) X^{(d - (2 m - 1)) - m} + \\ + (a_{d - 2 m} + a_{d - m} \cdot β + a_{d} \cdot β^{2}) X^{(d - 2 m) - m} + \dots + (a_{d - (3 m - 1)} + a_{d - (2 m - 1)} \cdot β + a_{d - (m - 1)} \cdot β^{2}) X^{(d - (3 m - 1)) - m} \\ ⋮ \end{aligned}

Basically,

q

is a polynomial with the

m

leading coefficients equal to the

m

leading coefficients of

p

; the following

m

coefficients are of the form

a_{i} + a_{j} \cdot β

, with

j - i = m

; the following

m

coefficients are of the form

a_{i} + a_{j} \cdot β + a_{k} \cdot β^{2}

, with

j - i = k - j = m

; and so on. Intuitively speaking, each

m

coefficients of

q

, one jumps from the actual coefficient of

p

with jumps of length

m

until "is possible" from bot to top. Consequently, the last

m

coefficients of

p

are never used for

q

For instance, if

p (X) = \sum_{i = 0}^{10} a_{i} X^{i}

and

m = 2

, then:

\begin{aligned} q (X) := & a_{10} X^{8} + a_{9} X^{7} + (a_{8} + a_{10} β) X^{6} + (a_{7} + a_{9} β) X^{5} + \\ + (a_{6} + a_{8} β + a_{10} β^{2}) X^{4} + (a_{5} + a_{7} β + a_{9} β^{2}) X^{3} + \\ + (a_{4} + a_{6} β + a_{8} β^{2} + a_{10} β^{3}) X^{2} + (a_{3} + a_{5} β + a_{7} β^{2} + a_{9} β^{3}) X + \\ + (a_{2} + a_{4} β + a_{6} β^{2} + a_{8} β^{3} + a_{10} β^{4}) \end{aligned}

Note that if

d \leq 2 m - 1

, then

q

is only composed of the

m

leading coefficients of

p

Alternative

function divideByVanishingCoset(p, n, b, p) {
  let q = Array(p.length).fill(0n);
  let r = [...p];
  for (let i = p.length - 1; i >= n; i--) {
    let leadingCoeff = r[i];
    if (leadingCoeff === 0n) continue;
    r[i] = 0n;
    r[i - n] = mod(r[i - n] + b * leadingCoeff, p);
    q[i - n] = mod(q[i - n] + leadingCoeff, p);
  }
  return [q, r];
}

We want to find polynomials

q

and

r

such that

p (X) = q (X) (X^{n} - β) + r (X)

with

0 \leq \deg (r) < n

. The following observation is crucial:

\begin{aligned} p (X) & = 0 \cdot (X^{n} - β) + p (X) = 0 \cdot (X^{n} - β) + (p (X) - p_{d} X^{d}) + p_{d} X^{d} = \\ = 0 \cdot (X^{n} - β) + (p (X) - p_{d} X^{d}) + p_{d} X^{d - n} X^{d} - β \cdot p_{d} X^{d - n} + β \cdot p_{d} X^{d - n} = \\ = 0 \cdot (X^{n} - β) + (p (X) - p_{d} X^{d}) + p_{d} X^{d - n} (X^{d} - β) + β \cdot p_{d} X^{d - n} = \\ = p_{d} X^{d - n} \cdot (X^{n} - β) + (p (X) - p_{d} X^{d} + β \cdot p_{d} X^{d - n}) \end{aligned}

The idea is to lower the degree of

r

by correctly varying

q

and

r

while preserving the previous identity.

Generalization to Multiple Polynomials

Given a polynomial

p (X) = a_{d} X^{d} + \dots + a_{1} X + a_{0}

of degree

d

at least

| T | = 18

that is divisible by

Z_{T}

, the following algorithm gives the quotient of the division

p / Z_{T}

We start by noticing that:

Z_{T} (X) = Z_{S_{0}} (X) \cdot Z_{S_{1}} (X) \cdot Z_{S_{2}} (X) = (X^{8} - z) \cdot (X^{4} - z) \cdot (X^{6} - z (1 + ω) X^{3} + z^{2} ω)

Then, we proceed as follows:

Divide
$p$ by
$Z_{S_{0}}$ to obtain the polynomial
$q_{0}$ such that
$q_{0} (X) \cdot Z_{S_{0}} (X) = p (X)$ .
Divide
$q_{0}$ by
$Z_{S_{1}}$ to obtain the polynomial
$q_{1}$ such that
$q_{1} (X) \cdot Z_{S_{1}} (X) = q_{0} (X)$ .
Split
$Z_{S_{2}} (X) = (X^{6} - z (1 + ω) X^{3} + z^{2} ω)$ as the multiplication of
$(X^{3} - z)$ and
$(X^{3} - z ω)$ . Then:
- Divide
  $q_{1}$ by
  $(X^{3} - z)$ to obtain the polynomial
  $q_{2}$ s.t.
  $q_{2} (X) \cdot (X^{3} - z) = q_{1} (X)$ .
- Divide
  $q_{2}$ by
  $(X^{3} - z ω)$ to obtain the polynomial
  $q_{3}$ s.t.
  $q_{3} (X) \cdot (X^{3} - z ω) = q_{2} (X)$ .

The polynomial

q_{3} (X)

satisfies

Z_{T} (X) \cdot q_{3} (X) = p (X)

FFlonk Comments and Optimizations

(Optimized) PCS of ShPlonk

PCS of Fflonk

One Vector of Polynomials and One Evaluation Point

One Vector of Polynomials and Multiple Evaluation Points

Multiple Vectors of Polynomials and Multiple Evaluation Points

Adding Zero-Knowledge (with Dummy Gates)

Wiring Polynomials

Grand-Product Polynomial

Lagrange Polynomials

Division by a Polynomial of the form Xm−β

Alternative

Generalization to Multiple Polynomials

tags: PlonK

Read more

Elliptic Curves over Goldilocks

Fflonk

Computing the Optimal Ate Pairing over the BN254 Curve

Computing the Optimal Ate Pairing over the BLS12-381 Curve

Division by a Polynomial of the form
$X^{m} - β$

tags: `PlonK`