This PCS is composed by the following algorithms:
This PCS differs from the previous one in that the commitment to a set of polynomials , is carried on by computing the polynomial:
and outputting .
Assume .
Then, to open at , open at , where is a primitive -th root of unity. To this end, compute the following two sets:
and compute the set:
and notice that .
Finally, engage in the protocol.
Assume . Then, basically run the previous protocol on each of the evaluations points.
Then, to open at , open at , where is a primitive -th root of unity. To this end, compute the following two sets:
and compute the set .
Finally, engage in the protocol.
Generalize the previous protocol and engage in the protocol. I don't write it to avoid crazy notation, but this is the one applied in the following section.
In the PlonK paper, in the order for the protocol to be zero-knowledge, the authors add to some witness-related polynomial a blinding polynomial as follows:
To guarantee zero-knowledge, the degree of this polynomial should be at least equal to the number of revealed evaluations of that the prover sends to the verifier in the opening phase of the KZG commitment scheme. This strategy ends up defining polynomials with degree , which is inefficient for practical scenarios in which is a power of two.
To avoid this issue, we proceed as follows. From now on, let be the circuit size (that is, the number of gates) and let be the closest power of two such that .
We add zero-knowledge to the wiring polynomials by sampling blinding factors and defining:
where note that for all . In essence, we are adding dummy gates that will be satisfied by definition and not because of the circuit.
Now, let's look at the satisfiability of the following constraint, for each :
To summary, the only change we have to do with respect to the original protocol is to define the selector polynomials as follows:
We add zero-knowledge to the grand-product polynomial by sampling blinding factors and defining:
Now, let's look at the satisfiability of the following constraint, for each :
Moreover, we should add a constraint attesting that is equal to one at (since this is the point in which the "real" gates ends). Finally, notice that the could evaluate to any value from (without affecting the soundness of the protocol) for , so we set them to for simplicity in their definition.
To summary, we must have to perform two changes. First, the new constraints of become:
Second, we define the sigma polynomials as follows:
Keep in mind that Lagrange polynomials are different if points in which they are evaluated are distinct. For example, the Lagrange polynomial for satisfies, for :
and moreover is a polynomial of degree .
In contrast, the Lagrange polynomial satisfies, for :
the Lagrange polynomial satisfies, for :
and the Lagrange polynomial satisfies, for and :
or more explicitly:
Given a polynomial of degree at least and a field element , the quotient of the division is the polynomial:
Basically, is a polynomial with the leading coefficients equal to the leading coefficients of ; the following coefficients are of the form , with ; the following coefficients are of the form , with ; and so on. Intuitively speaking, each coefficients of , one jumps from the actual coefficient of with jumps of length until "is possible" from bot to top. Consequently, the last coefficients of are never used for .
For instance, if and , then:
Note that if , then is only composed of the leading coefficients of .
We want to find polynomials and such that with . The following observation is crucial:
The idea is to lower the degree of by correctly varying and while preserving the previous identity.
Given a polynomial of degree at least that is divisible by , the following algorithm gives the quotient of the division .
We start by noticing that:
Then, we proceed as follows:
Divide by to obtain the polynomial such that .
Divide by to obtain the polynomial such that .
Split as the multiplication of and . Then:
The polynomial satisfies .
PlonK