Fflonk

Link to the paper: https://eprint.iacr.org/2021/1167.pdf
Link to the slides: https://hecmas.github.io/talk/fflonk-for-the-polygon-zkevm/
Link to some comments and optimizations: https://hackmd.io/-2oVDtk4TJGVWFAYvUoY1g?view

Comparison to Other Protocols

Protocol	CRS/SRS Size	Prover Comp.	Proof Length	Verifier Comp.
Groth16	$3 m + w G_{1}$	$3 m + w - ℓ G_{1}, m G_{2}$	$2 G_{1}, 1 G_{2}$	$ℓ G_{1}, 3 P$
Plonk	$3 n G_{1}, 2 G_{2}$	$11 n G_{1}$	$7 G_{1}, 7 F$	$16 G_{1}, 2 P$
Fflonk	$9 n G_{1}, 2 G_{2}$	$35 n G_{1}$	$4 G_{1}, 15 F$	$5 G_{1}, 2 P$
PolyMath			$3 G_{1}, 1 F$	$2 G_{1}, 1 G_{2}, 2 P, O (ℓ \log ℓ) F$

$m$ denotes the number of multiplication gates.
$w$ denotes the number of wires.
$n$ denotes the number of gates.
$ℓ$ denotes number of public inputs.
$G_{i}$ denotes scalar multiplications in
$G_{i}$ .
$P$ denotes pairings.

Full Description of the Protocol

Fix positive integer

A

dividing

p - 1

(for the case of a sufficiently smooth prime field, setting

A = 24

is enough). Let

T

be the set of divisors of

A

, i.e.,

T = {t \in N ∣ 0 < t \leq A, t ∣ A}

. Let also

S

be the set of

A

'th powers in

F

; i.e.,

S = {x \in F ∣ \exists z \in F s . t . z^{A} = x}

Assume that

n

is a power of two such that

24 n

divides

p - 1

, and

H \subset F

is a multiplicative subgroup of

F

of order

n

with generator

ω

. One can show^[1] that the previous divisibility assumption implies that

ω

is a

24

-th power in

F

, which is necessary to ensure that

ω

has some particular roots.

We denote by

ω_{3}

to a generator of order

3

, by

ω_{4}

to a generator of order

4

and by

ω_{8}

to a generator of order

8

. Finally, we denote by

L_{i}^{(S)}

the Lagrange polynomials for any set

S \neq H

and by

L_{i}

the Lagrange polynomials for

H

Common preprocessed input:

n, (x \cdot [1]_{1}, . . ., x^{9 n + 17} \cdot [1]_{1}), (q_{L_{i}}, q_{R_{i}}, q_{O_{i}}, q_{M_{i}}, q_{C_{i}})_{i = 1}^{n}, σ^{*}, \begin{matrix} q_{L} (X) = \sum_{i = 1}^{n} q_{L_{i}} L_{i} (X), q_{R} (X) = \sum_{i = 1}^{n} q_{R_{i}} L_{i} (X), q_{O} (X) = \sum_{i = 1}^{n} q_{O_{i}} L_{i} (X), \\ q_{M} (X) = \sum_{i = 1}^{n} q_{M_{i}} L_{i} (X), q_{C} (X) = \sum_{i = 1}^{n} q_{C_{i}} L_{i} (X), \\ S_{σ_{1}} (X) = \sum_{i = 1}^{n} σ^{*} (i) L_{i} (X), S_{σ_{2}} (X) = \sum_{i = 1}^{n} σ^{*} (n + i) L_{i} (X), S_{σ_{3}} (X) = \sum_{i = 1}^{n} σ^{*} (2 n + i) L_{i} (X), \\ \begin{aligned} C_{0} (X) = & q_{L} (X^{8}) + X \cdot q_{R} (X^{8}) + X^{2} \cdot q_{O} (X^{8}) + X^{3} \cdot q_{M} (X^{8}) + X^{4} \cdot q_{C} (X^{8}) \\ + X^{5} \cdot S_{σ_{1}} (X^{8}) + X^{6} \cdot S_{σ_{2}} (X^{8}) + X^{7} \cdot S_{σ_{3}} (X^{8}) . \end{aligned} \end{matrix}

Degrees:

q_{L}, q_{R}, q_{O}, q_{M}, q_{C}, S_{σ_{1}}, S_{σ_{2}}, S_{σ_{3}} \in F_{< n} [X]

and

C_{0} \in F_{< 8 n} [X]

Public input:
$ℓ, (w_{i})_{i \in [ℓ]}$

Prover algorithm:

Prover input:
$(w_{i})_{i \in [3 (n - 2)]}$ .

We think the circuit as having at most

n - 2

"useful" gates, since the last two will be used to introduce random values to the wiring polynomials to achieve a zero-knowledge protocol.

Round 1:

Generate random blinding scalars

b_{1}, \dots, b_{9} \in F

Compute wire polynomials

a, b, c \in F_{< n} [X]

\begin{aligned} a (X) & := \sum_{i = 1}^{n - 2} w_{i} L_{i} (X) + b_{1} L_{n - 1} (X) + b_{2} L_{n} (X), \\ b (X) & := \sum_{i = 1}^{n - 2} w_{(n - 2) + i} L_{i} (X) + b_{3} L_{n - 1} (X) + b_{4} L_{n} (X), \\ c (X) & := \sum_{i = 1}^{n - 2} w_{2 (n - 2) + i} L_{i} (X) + b_{5} L_{n - 1} (X) + b_{6} L_{n} (X) . \end{aligned}

Compute public input polynomial

P I \in F_{< ℓ} [X]

\begin{array}{r} P I (X) := \sum_{i = 1}^{ℓ} - w_{i} L_{i} (X) . \end{array}

Compute quotient polynomial

T_{0} \in F_{< 2 n - 2} [X]

\begin{array}{r} T_{0} (X) := (q_{L} (X) a (X) + q_{R} (X) b (X) + q_{O} (X) c (X) + q_{M} (X) a (X) b (X) + q_{C} (X) + P I (X)) \frac{1}{Z_{H} (X)} . \end{array}

Compute the FFT-style combination polynomial

C_{1} \in F_{< 8 n - 8} [X]

\begin{array}{r} C_{1} (X) := a (X^{4}) + X \cdot b (X^{4}) + X^{2} \cdot c (X^{4}) + X^{3} \cdot T_{0} (X^{4}) . \end{array}

P

computes and sends

[C_{1}]_{1} := [C_{1} (x)]_{1}

Round 2:

Compute permutation challenges

β, γ \in F

β = H (t r a n s c r i p t, 0), γ = H (t r a n s c r i p t, 1)

Compute permutation polynomial

z \in F_{< n + 3} [X]

z (X) := (b_{7} X^{2} + b_{8} X + b_{9}) Z_{H} (X) + L_{1} (X) + \sum_{i = 1}^{n - 1} (L_{i + 1} (X) \prod_{j = 1}^{i} \frac{(w_{j} + β ω^{j} + γ) (w_{n + j} + β k_{1} ω^{j} + γ) (w_{2 n + j} + β k_{2} ω^{j} + γ)}{(w_{j} + β σ^{*} (j) + γ) (w_{n + j} + β σ^{*} (n + j) + γ) (w_{2 n + j} + β σ^{*} (2 n + j) + γ)})

Compute quotient polynomials

T_{1} \in F_{< n + 2} [X]

and

T_{2} \in F_{< 3 n} [X]

\begin{aligned} T_{1} (X) := & [L_{1} (X) (z (X) - 1)] \frac{1}{Z_{H} (X)}, \\ T_{2} (X) := & [(a (X) + β X + γ) (b (X) + β k_{1} X + γ) (c (X) + β k_{2} X + γ) z (X) \\ - (a (X) + β S_{σ_{1}} (X) + γ) (b (X) + β S_{σ_{2}} (X) + γ) (c (X) + β S_{σ_{3}} (X) + γ) z (X ω)] \frac{1}{Z_{H} (X)} . \end{aligned}

Compute the FFT-style combination polynomial

C_{2} \in F_{< 9 n} [X]

\begin{array}{r} C_{2} (X) := z (X^{3}) + X \cdot T_{1} (X^{3}) + X^{2} \cdot T_{2} (X^{3}) . \end{array}

P

computes and send

[C_{2}]_{1} := [C_{2} (x)]_{1}

Now,

P

must prove to

V

the following identities:

\begin{aligned} T_{0} (X) Z_{H} (X) = & q_{L} (X) a (X) + q_{R} (X) b (X) + q_{O} (X) c (X) + q_{M} (X) a (X) b (X) + q_{C} (X) + P I (X), \\ T_{1} (X) Z_{H} (X) = & L_{1} (X) (z (X) - 1), \\ T_{2} (X) Z_{H} (X) = & (a (X) + β X + γ) (b (X) + β k_{1} X + γ) (c (X) + β k_{2} X + γ) z (X) \\ - (a (X) + β S_{σ_{1}} (X) + γ) (b (X) + β S_{σ_{2}} (X) + γ) (c (X) + β S_{σ_{3}} (X) + γ) z (X ω) . \end{aligned}

Round 3:

Compute the random

r \in F

r = H (t r a n s c r i p t)

Compute evaluation challenge

z = r^{24}

. Notice that

z \in S

Compute opening evaluations:

\bar{q_{L}} = q_{L} (z), \bar{q_{R}} = q_{R} (z), \bar{q_{O}} = q_{O} (z), \bar{q_{M}} = q_{M} (z), \bar{q_{C}} = q_{C} (z) {\bar{S}}_{σ_{1}} = S_{σ_{1}} (z), {\bar{S}}_{σ_{2}} = S_{σ_{2}} (z), {\bar{S}}_{σ_{3}} = S_{σ_{3}} (z), \bar{a} = a (z), \bar{b} = b (z), \bar{c} = c (z), \bar{z} = z (z), {\bar{z}}_{ω} = z (z ω), {\bar{T_{1}}}_{ω} = T_{1} (z ω), {\bar{T_{2}}}_{ω} = T_{2} (z ω) .

Notice that these points are enough for opening

a, b, c, T_{0}

z

and

z, T_{1}, T_{2}

z

and

z ω

P

sends

(\bar{q_{L}}, \bar{q_{R}}, \bar{q_{O}}, \bar{q_{M}}, \bar{q_{C}}, {\bar{S}}_{σ_{1}}, {\bar{S}}_{σ_{2}}, {\bar{S}}_{σ_{3}}, \bar{a}, \bar{b}, \bar{c}, \bar{z}, {\bar{z}}_{ω}, {\bar{T_{1}}}_{ω}, {\bar{T_{2}}}_{ω})

V

Due to Lemma 5.1, P will equivalently:

Open
$C_{0}$ at
$S_{0} = r o o t s_{8} (z) = {h_{0}, h_{0} ω_{8}, h_{0} ω_{8}^{2}, h_{0} ω_{8}^{3}, h_{0} ω_{8}^{4}, h_{0} ω_{8}^{5}, h_{0} ω_{8}^{6}, h_{0} ω_{8}^{7}}$ .
Open
$C_{1}$ at
$S_{1} = r o o t s_{4} (z) = {h_{1}, h_{1} ω_{4}, h_{1} ω_{4}^{2}, h_{1} ω_{4}^{3}}$ .
Open
$C_{2}$ at
$S_{2} = r o o t s_{3} (z) \cup r o o t s_{3} (z ω) = {[h_{2}, h_{2} ω_{3}, h_{2} ω_{3}^{2}], [h_{3}, h_{3} ω_{3}, h_{3} ω_{3}^{2}]}$ .

Here,

h_{0}^{8} = z

h_{1}^{4} = z

h_{2}^{3} = z

and

h_{3}^{3} = z ω

, which are computed from

r

as follows:

$h_{0} = r^{3}$ , since
$h_{0}^{8} = r^{24} = z$ .
$h_{1} = r^{6}$ , since
$h_{1}^{4} = r^{24} = z$ .
$h_{2} = r^{8}$ , since
$h_{2}^{3} = r^{24} = z$ .
$h_{3} = r^{8} ω^{1 / 3}$ , since
$h_{3}^{3} = r^{24} ω = z ω$ .

To this end, P computes the sets

S_{0}, S_{1}, S_{2}

. He also computes the sets

Z_{0}, Z_{1}, Z_{2}

using

Z_{0}^{'}, Z_{1}^{'}, Z_{2}^{'}

defined as follows:

\begin{matrix} Z_{0}^{'} = {q_{L} (z), q_{R} (z), q_{O} (z), q_{M} (z), q_{C} (z), S_{σ_{1}} (z), S_{σ_{2}} (z), S_{σ_{3}} (z)}, \\ Z_{1}^{'} = {a (z), b (z), c (z), T_{0} (z)}, \\ Z_{2}^{'} = {[z (z), T_{1} (z), T_{2} (z)], [z (z ω), T_{1} (z ω), T_{2} (z ω)]}, \\ Z_{0} = {C_{0} (h_{0}), C_{0} (h_{0} ω_{8}), C_{0} (h_{0} ω_{8}^{2}), C_{0} (h_{0} ω_{8}^{3}), C_{0} (h_{0} ω_{8}^{4}), C_{0} (h_{0} ω_{8}^{5}), C_{0} (h_{0} ω_{8}^{6}), C_{0} (h_{0} ω_{8}^{7})}, \\ Z_{1} = {C_{1} (h_{1}), C_{1} (h_{1} ω_{4}), C_{1} (h_{1} ω_{4}^{2}), C_{1} (h_{1} ω_{4}^{3})}, \\ Z_{2} = {[C_{2} (h_{2}), C_{2} (h_{2} ω_{3}), C_{2} (h_{2} ω_{3}^{2})], [C_{2} (h_{3}), C_{2} (h_{3} ω_{3}), C_{2} (h_{3} ω_{3}^{2})]} . \end{matrix}

Note that

S_{i}

and

Z_{i}

can be also computed by

V

, for

i \in {0, 1, 2}

From now on, define

T = S_{0} \cup S_{1} \cup S_{2}

. We have

| T | = 18

Round 4:

Compute a challenge

α \in F

α = H (t r a n s c r i p t)

P

computes the polynomial

f \in F_{< 9 n + 12} [X]

\begin{aligned} f (X) := & (X^{4} - z) (X^{3} - z) (X^{3} - z ω) (C_{0} (X) - r_{0} (X)) + α (X^{8} - z) (X^{3} - z) (X^{3} - z ω) (C_{1} (X) - r_{1} (X)) + \\ + α^{2} (X^{8} - z) (X^{4} - z) (C_{2} (X) - r_{2} (X)), \end{aligned}

where:

The polynomial
$r_{0} \in F_{< 8} [X]$ is such that
$r_{0} (h_{0} ω_{8}^{i}) = C_{0} (h_{0} ω_{8}^{i})$ , for
$i \in [8]$ , that is:

$r_{0} (X) = \sum_{i = 1}^{8} C_{0} (h_{0} ω_{8}^{i - 1}) L_{i}^{(S_{0})} (X) .$
The polynomial
$r_{1} \in F_{< 4} [X]$ is such that
$r_{1} (h_{1} ω_{4}^{i}) = C_{1} (h_{1} ω_{4}^{i})$ , for
$i \in [4]$ , that is:

$r_{1} (X) = \sum_{i = 1}^{4} C_{1} (h_{1} ω_{4}^{i - 1}) L_{i}^{(S_{1})} (X) .$
The polynomial
$r_{2} \in F_{< 6} [X]$ is such that
$r_{2} (h_{j} ω_{3}^{i}) = C_{2} (h_{j} ω_{3}^{i})$ for
$i \in [3]$ ,
$j \in {2, 3}$ , that is:

$r_{2} (X) = \sum_{i = 1}^{3} C_{2} (h_{2} ω_{3}^{i - 1}) L_{i}^{(S_{2})} (X) + \sum_{i = 4}^{6} C_{2} (h_{3} ω_{3}^{i - 1}) L_{i}^{(S_{2})} (X) .$

P

computes the polynomial

W (X) := f (X) / Z_{T} (X) \in F_{< 9 n - 6} [X]

and sends

[W]_{1} := [(f / Z_{T}) (x)]_{1}

Round 5:

Compute a random evaluation point

y \in F

y = H (t r a n s c r i p t)

P computes the polynomial

L \in F_{< 9 n} [X]

\begin{aligned} L (X) := & (y^{4} - z) (y^{3} - z) (y^{3} - z ω) (C_{0} (X) - r_{0} (y)) + α (y^{8} - z) (y^{3} - z) (y^{3} - z ω) (C_{1} (X) - r_{1} (y)) + \\ + α^{2} (y^{8} - z) (y^{4} - z) (C_{2} (X) - r_{2} (y)) - Z_{T} (y) \frac{f (X)}{Z_{T} (X)} . \end{aligned}

P

computes the polynomial

W^{'} (X) := \frac{L (X)}{Z_{T ∖ S_{0}} (y) (X - y)} \in F_{< 9 n - 1} [X]

and sends

[W^{'}]_{1} := [W^{'} (x)]_{1}

Return:

π_{SNARK} = (\begin{array}{r} \begin{array}{c} [C_{1}]_{1}, [C_{2}]_{1}, [W]_{1}, [W^{'}]_{1}, \\ \bar{q_{L}}, \bar{q_{R}}, \bar{q_{O}}, \bar{q_{M}}, \bar{q_{C}}, {\bar{S}}_{σ_{1}}, {\bar{S}}_{σ_{2}}, {\bar{S}}_{σ_{3}}, \bar{a}, \bar{b}, \bar{c}, \bar{z}, {\bar{z}}_{ω}, {\bar{T_{1}}}_{ω}, {\bar{T_{2}}}_{ω} \end{array} \end{array})

Verifier algorithm:

Verifier preprocessed input:

[C_{0}]_{1} := C_{0} (x) \cdot [1]_{1}, x \cdot [1]_{2}

V ((w_{i})_{i \in [ℓ]}, π_{SNARK})

Validate
$[C_{1}]_{1}, [C_{2}]_{1}, [W]_{1}, [W^{'}]_{1} \in G_{1}$ .
Validate
$\bar{q_{L}}, \bar{q_{R}}, \bar{q_{O}}, \bar{q_{M}}, \bar{q_{C}}, {\bar{S}}_{σ_{1}}, {\bar{S}}_{σ_{2}}, {\bar{S}}_{σ_{3}}, \bar{a}, \bar{b}, \bar{c}, \bar{z}, {\bar{z}}_{ω}, {\bar{T_{1}}}_{ω}, {\bar{T_{2}}}_{ω} \in F$ .
Validate
$w_{i} \in F$ for
$i \in [ℓ]$ .
Compute challenges
$β, γ, z, α, y \in F$ as in prover description, from the common inputs, public input, and the elements of
$π_{SNARK}$ .
Compute zero polynomial evaluation
$Z_{H} (z) = z^{n} - 1$ .
Compute Lagrange polynomial evaluation
$L_{1} (z) = \frac{ω (z^{n} - 1)}{n (z - ω)}$ .
Compute public input polynomial evaluation
$P I (z) = \sum_{i = 1}^{ℓ} - w_{i} L_{i} (z)$ .
Computes
$r_{0} (y) = \sum_{i = 1}^{8} C_{0} (h_{0} ω_{8}^{i - 1}) L_{i}^{(S_{0})} (y)$ . To this end,
$V$ needs to compute
$Z_{0}$ , and he can do so from
$\bar{q_{L}}, \bar{q_{R}}, \bar{q_{O}}, \bar{q_{M}}, \bar{q_{C}}, {\bar{S}}_{σ_{1}}, {\bar{S}}_{σ_{2}}, {\bar{S}}_{σ_{3}}$ .
Computes
$r_{1} (y) = \sum_{i = 1}^{4} C_{1} (h_{1} ω_{4}^{i - 1}) L_{i}^{(S_{1})} (y)$ . To this end,
$V$ needs to compute
$Z_{1}$ , and he can do so from
$\bar{q_{L}}, \bar{q_{R}}, \bar{q_{O}}, \bar{q_{M}}, \bar{q_{C}}, \bar{a}, \bar{b}, \bar{c}$ . In particular, to compute
$T_{0} (z)$ , he proceeds as follows:

$T_{0} (z) = (\bar{q_{L}} \bar{a} + \bar{q_{R}} \bar{b} + \bar{q_{O}} \bar{c} + \bar{q_{M}} \bar{a} \bar{b} + \bar{q_{C}} + P I (z)) \frac{1}{Z_{H} (z)}$
Computes
$r_{2} (X) = \sum_{i = 1}^{3} C_{2} (h_{2} ω_{3}^{i - 1}) L_{i}^{(S_{2})} (X) + \sum_{i = 4}^{6} C_{2} (h_{3} ω_{3}^{i - 1}) L_{i}^{(S_{2})} (X)$ . To this end,
$V$ needs to compute
$Z_{2}$ , and he can do so from
${\bar{S}}_{σ_{1}}, {\bar{S}}_{σ_{2}}, {\bar{S}}_{σ_{3}}, \bar{a}, \bar{b}, \bar{c}, \bar{z}, {\bar{z}}_{ω}, {\bar{T_{1}}}_{ω}, {\bar{T_{2}}}_{ω}$ . In particular, to compute
$T_{1} (z)$ and
$T_{2} (z)$ , he proceeds as follows:

$\begin{aligned} T_{1} (z) = & [L_{1} (z) (\bar{z} - 1)] \frac{1}{Z_{H} (z)} \\ T_{2} (z) = & [(\bar{a} + β z + γ) (\bar{b} + β k_{1} z + γ) (\bar{c} + β k_{2} z + γ) \bar{z} \\ - (\bar{a} + β {\bar{S}}_{σ_{1}} + γ) (\bar{b} + β {\bar{S}}_{σ_{2}} + γ) (\bar{c} + β {\bar{S}}_{σ_{3}} + γ) {\bar{z}}_{ω}] \frac{1}{Z_{H} (z)} \end{aligned}$

Helper for the Steps 8,9,10:

\begin{aligned} C_{0} (h_{0} ω_{8}^{i}) = & \bar{q_{L}} + (h_{0} ω_{8}^{i}) \cdot \bar{q_{R}} + (h_{0} ω_{8}^{i})^{2} \cdot \bar{q_{O}} + (h_{0} ω_{8}^{i})^{3} \cdot \bar{q_{M}} + (h_{0} ω_{8}^{i})^{4} \cdot \bar{q_{C}} \\ + (h_{0} ω_{8}^{i})^{5} \cdot {\bar{S}}_{σ_{1}} + (h_{0} ω_{8}^{i})^{6} \cdot {\bar{S}}_{σ_{2}} + (h_{0} ω_{8}^{i})^{7} \cdot {\bar{S}}_{σ_{3}} \\ C_{1} (h_{1} ω_{4}^{i}) = & \bar{a} + (h_{1} ω_{4}^{i}) \cdot \bar{b} + (h_{1} ω_{4}^{i})^{2} \cdot \bar{c} + (h_{1} ω_{4}^{i})^{3} \cdot T_{0} (z) \\ C_{2} (h_{2} ω_{3}^{i}) = & \bar{z} + (h_{2} ω_{3}^{i}) \cdot T_{1} (z) + (h_{2} ω_{3}^{i})^{2} \cdot T_{2} (z) \\ C_{2} (h_{3} ω_{3}^{i}) = & {\bar{z}}_{ω} + (h_{3} ω_{3}^{i}) \cdot {\bar{T_{1}}}_{ω} + (h_{3} ω_{3}^{i})^{2} \cdot {\bar{T_{2}}}_{ω} \end{aligned}

Compute the polynomial commitment
$[F]_{1}$ :

$\begin{aligned} [F]_{1} := & [C_{0}]_{1} + α \frac{(y^{8} - z) (y^{3} - z) (y^{3} - z ω)}{(y^{4} - z) (y^{3} - z) (y^{3} - z ω)} [C_{1}]_{1} + α^{2} \frac{(y^{8} - z) (y^{4} - z)}{(y^{4} - z) (y^{3} - z) (y^{3} - z ω)} [C_{2}]_{1} \end{aligned}$
Compute group-encoded batch evaluation
$[E]_{1}$ :

$\begin{aligned} [E]_{1} := & (r_{0} (y) + α \frac{(y^{8} - z) (y^{3} - z) (y^{3} - z ω)}{(y^{4} - z) (y^{3} - z) (y^{3} - z ω)} r_{1} (y) + α^{2} \frac{(y^{8} - z) (y^{4} - z)}{(y^{4} - z) (y^{3} - z) (y^{3} - z ω)} r_{2} (y)) \cdot [1]_{1} \end{aligned}$
Compute the full difference
$[J]_{1}$ :

$[J]_{1} := (y^{8} - z) [W]_{1}$
Validate all evaluations:

e ([F]_{1} - [E]_{1} - [J]_{1} + y [W^{'}]_{1}, [1]_{2}) \overset{?}{=} e ([W^{'}]_{1}, [x]_{2})

Some Doubts and Open Questions

[Solved] Election of
$A$ : For our use case
$12$ is a good candidate since it is the least common multiple of
$3$ and
$4$ , but in the paper they claim that
$24$ is necessary. Why? I think that they say that because they are considering the commitment to the preprocessed polynomials (which are
$8$ are therefore the
$lcm (3, 4, 8) = 24$ ). ~~However, we have seen the verifier do not need to use the commitments to the preprocessed polynomials, and therefore are not necessary.~~
[Solved] Section 7 Assumptions: ~~At the beginning of Section 7, why do you assume that~~
$24 n$ divides
$p - 1$ ? I suppose that is to guarantee the existence of the different roots that have to be computed during the protocol. YES: it is to be able to compute roots of the generator
$ω$ .
[Solved] ~~Preprocessed Polynomials~~
$q_{L}, q_{R}, q_{O}, q_{M}, q_{C}, S_{σ_{1}}, S_{σ_{2}}, S_{σ_{3}}$ : I do not know yet why the verifier need to use the commitments to the preprocessed polynomials, I need to figure it out (it only uses
$[x]_{2}$ from the preprocessing). Why do they need to send to the verifier in Lemma 6.4? In case we have to, the prover computes
$g := {combine}_{t_{0}} (\overset{―}{f_{0}})$ and sends the commitment to
$g$ to the verifier, which I do not see how this commitment would be used by the verifier itself.
[Solved] Computation of
$r_{1}, r_{2}$ : In round 4 of the proving algorithm, the prover computes the polynomials
$r_{1} \in F_{< 4} [X]$ and
$r_{1} \in F_{< 6} [X]$ by Lagrange interpolation. How does the verifier need to obtain them? He needs so to compute
$r_{1} (y), r_{2} (y)$ . If they are computed via Lagrange interpolation, the verifier complexity will be dominated by this computation (rather than elliptic curve operations).
- We are exploring the prover sending
  $r_{1} (y)$ and
  $r_{2} (y)$ to the verifier, but we must check if this would break the soundness of the protocol. Moreover, this would increase the proof size by
  $2$ field elements.
- We are exploring a sound alternative: the prover sending to the verifier the inverse needed to compute the
  $10$ Lagrange polynomials needed in the definition of
  $r_{1} (y), r_{2} (y)$ . We are using a batching protocol for computing multiple inverses, so with one is enough.

tags: `PlonK`

Hint: Take an element of order
$24 n$ and check the relationship between this element and
$ω$ . ↩︎

Daniel Lubarov

2023/02/17 18:54:52

a generator of order $4$ and by

nit: to be precise I would say ω_4 is a primitive 4th root of unity, or a generator of order 4. I.e. not order 1 or 2. (Edited)

Héctor Masip

2023/02/20 16:39:41

You are right. This is much more correct, thank you!

Fflonk

Comparison to Other Protocols

Full Description of the Protocol

Common preprocessed input:

Public input: ℓ,(wi)i∈[ℓ]

Prover algorithm:

Prover input: (wi)i∈[3(n−2)].

Round 1:

Round 2:

Round 3:

Round 4:

Round 5:

Verifier algorithm:

Verifier preprocessed input:

Some Doubts and Open Questions

tags: PlonK

Read more

Computing the Optimal Ate Pairing over the BN254 Curve

Elliptic Curves over Goldilocks

Computing the Optimal Ate Pairing over the BLS12-381 Curve

The Sponge Construction in Polygon zkEVM

Public input:
$ℓ, (w_{i})_{i \in [ℓ]}$

Prover input:
$(w_{i})_{i \in [3 (n - 2)]}$ .

tags: `PlonK`