IPA Commitment Scheme Specification

tags: `aztec-3, honk`

In this document, we try to answer the following questions:

How the Inner Product Argument (IPA) Polynoimial Commitment Scheme (PCS) works?
How are we going to use IPA PCS in Aztec 3?

How Does the IPA PCS Work?

We consider the IPA PCS described in Section 3 of the Halo paper. We don't need it to be zero-knowledge. In high level, this is because the IPA PCS will be used at the last stage of Aztec 3 (similar to the smart contract/root verifier as in Aztec connect).

Notation: We denote vectors by bold letters, group elements by capital letters, and scalars by small letters. Multiplication of a scalar

m

with a group element

G

i.e.,

G

added to itself

m

times, is denoted by

[m] G

Now we describe the IPA PCS.

Let

p (X) = \sum_{i = 0}^{d - 1} a [i] X^{i}

be a polynopmial of degree

d - 1

where

d = 2^{k}

for some integer

k

. The vector

a

stores the coefficients of the polynomial

p (x)

. Let

x \in F_{p}

be a random evaluation point and

v

the evaluation of

p (X)

x

. Let the vector

b

represent the consecutive powers of

x

i.e.,

b ≜ (1, x, x^{2}, \dots, x^{d - 1})

. Then we have

v = ⟨ a, b ⟩

Let

G ≜ (G_{0}, G_{1}, \dots, G_{d - 1})

denote the publicly known vector of group elements (srs points to be precise). Then the commitment to the polynomial

p (x)

is defined as (we are ignoring the blinding factor as we do not need zero-knowledge)

\begin{array}{r} C ≜ ⟨ a, G ⟩ . \end{array}

Given

(C, x, v)

as public input (

G, b

are also known publicly), the IPA PCS enables a prover to convince the verifier that

C

is indeed the commitment to the polynomial

p (x)

and

v

is indeed the evaluation of

p (x)

on the challenge point

x

i.e. it is a perfect special honest verifier zero-knowledge argument of knowledge for the relation:

\begin{array}{r} {((C, x, v); a) : C = ⟨ a, G ⟩ \land v = ⟨ a, b ⟩} . \end{array}

The steps of the protocol is described below.

First, the verifier sends a random group element
$U$ (referred as aux_generator in the code) to the prover. Both prover and verifier compute the quantity

$\begin{array}{r} C^{'} = C + [v] U . \end{array}$
We are coupling the commitment of the polynomial with the evaluation of the polynomial to simultaneously show that
$C$ and
$v$ are computed correctly. Notice that
$C^{'}$ can be alternatively expressed as

$\begin{array}{r} (1) & C^{'} = ⟨ a, G ⟩ + [⟨ a, b ⟩] U . \end{array}$
IPA PCS is an argument of knowledge where the prover proves the knowledge of a vector
$a$ such that equation (1) holds with a communication cost logarithmic to the length of
$a$ . As the prover does not know
$U$ in advance, this proves that
(a)
$C$ is the commitment to the polynomial
$p (x)$ at the srs points
$G$ i.e.,
$C = ⟨ a, G ⟩$ and
(b)
$v$ is the evaluation of
$p (x)$ at
$x$ i.e.
$v = ⟨ a, b ⟩$ . The next steps are as follows.
Let
$d = 2^{k}$ . We shall iterate over
$j$ starting from
$k$ to 1. We initialize

$\begin{array}{r} G^{(k)} ≜ G, a^{(k)} ≜ a, b^{(k)} ≜ b . \end{array}$
The prover computes the quantities

$\begin{aligned} L_{j} & = ⟨ a_{l o}^{(j)}, G_{h i}^{(j)} ⟩ + [⟨ a_{l o}^{(j)}, b_{h i}^{(j)} ⟩] U, \\ R_{j} & = ⟨ a_{h i}^{(j)}, G_{l o}^{(j)} ⟩ + [⟨ a_{h i}^{(j)}, b_{l o}^{(j)} ⟩] U, \end{aligned}$
and sends to the verifier. Here, the vector
$a_{l o}^{(j)}$ denotes the lower half over the vector
$a^{(j)}$ and the vector
$a_{h i}^{(j)}$ denotes the upper half of the vector
$a^{(j)}$ . The verifier generates a Fiat-Shamir challenge
$u_{j}$ and sends to the prover. For the next
$(j - 1)$ th round, the prover computes the following quantities

$\begin{aligned} a^{(j - 1)} & = a_{l o}^{(j)} * u_{j} + a_{h i}^{(j)} * u_{j}^{- 1}, \\ b^{(j - 1)} & = b_{l o}^{(j)} * u_{j}^{- 1} + b_{h i}^{(j)} * u_{j}, \\ G^{(j - 1)} & = G_{l o}^{(j)} * u_{j}^{- 1} + G_{h i}^{(j)} * u_{j} . \end{aligned}$
At the end (
$j = 1$ ), the prover has computed the following quantities

$\begin{array}{r} (L, R, G^{(0)}, a^{(0)}, b^{(0)}), \end{array}$
where the vectors
$L, R$ contain respectively the elements
$L_{0}, \dots, L_{k}, R_{0}, \dots, R_{k}$ ,
$k$ group elements each.
$G^{(0)}, a^{(0)}, b^{(0)}$ represent the
$k$ times folded versions of
$G$ ,
$a$ ,
$b$ and are a group and a couple of field elements respectively.
At the begining, the verifier has computed

$\begin{array}{r} (2) & C^{'} = ⟨ a, G ⟩ + [⟨ a, b ⟩] U = C + [v] U . \end{array}$
We have
$C^{(k)} = C^{'}$ ,
$a^{(k)} = a$ ,
$b^{(k)} = b$ ,
$G^{(k)} = G$ as initialized above. For the
$(k - 1)$ th round, we have

$\begin{aligned} C^{(k - 1)} & = ⟨ a^{(k - 1)}, G^{(k - 1)} ⟩ + [⟨ a^{(k - 1)}, b^{(k - 1)} ⟩] U \\ = ⟨ a_{l o}^{(k)} * u_{k} + a_{h i}^{(k)} * u_{k}^{- 1}, G_{l o}^{(k)} * u_{k}^{- 1} + G_{h i}^{(k)} * u_{k} ⟩ \\ + [⟨ a_{l o}^{(k)} * u_{k} + a_{h i}^{(k)} * u_{k}^{- 1}, b_{l o}^{(k)} * u_{k}^{- 1} + b_{h i}^{(k)} * u_{k} ⟩] U \\ = (⟨ a_{l o}^{(k)}, G_{l o}^{(k)} ⟩ + ⟨ a_{h i}^{(k)}, G_{h i}^{(k)} ⟩) + u_{k}^{2} (⟨ a_{l o}^{(k)}, G_{h i}^{(k)} ⟩ + [⟨ a_{l o}^{(k)}, b_{h i}^{(k)} ⟩] U) \\ + u_{k}^{- 2} (⟨ a_{h i}^{(k)}, G_{l o}^{(k)} ⟩ + [⟨ a_{h i}^{(k)}, b_{l o}^{(k)} ⟩] U) + [⟨ a_{l o}^{(k)}, b_{l o}^{(k)} ⟩ + ⟨ a_{h i}^{(k)}, b_{h i}^{(k)} ⟩] U \\ = ⟨ a^{(k)}, G^{(k)} ⟩ + [u_{k}^{2}] L_{k} + [u_{k}^{- 2}] R_{k} + [⟨ a^{(k)}, b^{(k)} ⟩] U \\ = C^{(k)} + [u_{k}^{2}] L_{k} + [u_{k}^{- 2}] R_{k} . \end{aligned}$
Following the same approach, we can inductively write,

$\begin{array}{r} (3) & C^{(0)} = C^{'} + \sum_{j = 1}^{k} ([u_{j}^{2}] L_{j}) + \sum_{j = 1}^{k} ([u_{j}^{- 2}] R_{j}) . \end{array}$

Following equation (2), we can alternatively express

C^{(0)}

as,

\begin{aligned} C^{(0)} & = [a^{(0)}] G^{(0)} + [a^{(0)} * b^{(0)}] U, \\ = [a^{(0)}] (G^{(0)} + [b^{(0)}] U) . \end{aligned}

Suppose, the prover provides

G^{(0)}

and

b^{(0)}

along with

L

and

R

to the verifier. The verification proceeds as follows.
(i) The verifier computes

C^{(0)}

as in equation (3).
(ii) The verifier checks if

b^{(0)}

provided by the prover is computed correctly.
(iii) The verifier checks if

G^{(0)}

provided by the prover is computed correctly.
(iv) The prover proves knowledge of

a^{(0)}

such that

\begin{array}{r} (4) & C^{(0)} = [a^{(0)}] (G^{(0)} + [b^{(0)}] U), \end{array}

holds. Below we describe steps (ii), (iii), and (iv) in more details.

Steps (ii) and (iii)

From the section 3.1 of the Halo paper, we define the vector

s

\begin{aligned} s = ( & u_{1}^{- 1} * u_{2}^{- 1} * \dots * u_{k}^{- 1}, \\ u_{1} * u_{2}^{- 1} * \dots * u_{k}^{- 1}, \\ u_{1}^{- 1} * u_{2} * \dots * u_{k}^{- 1}, \\ u_{1} * u_{2} * \dots * u_{k}^{- 1}, \\ ⋮ \\ u_{1} * u_{2} * \dots * u_{k}) . \end{aligned}

Because of the binary structure of the folding of

G, b

, we have

\begin{array}{r} b^{(0)} = ⟨ s, b ⟩, G^{(0)} = ⟨ s, G ⟩ . \end{array}

As observed in the Halo paper (Equation 3, https://eprint.iacr.org/2019/1021.pdf, we notice that the equation

g (X, u_{1}, u_{2}, \dots, u_{k}) = \prod_{i = 1}^{k} (u_{i} + u_{i}^{- 1} X^{2^{i - 1}})

is wrong),

b^{(0)}

can be efficiently computed by the verifier by defining the polynomial,

\begin{array}{r} g (X, u_{1}, u_{2}, \dots, u_{k}) = \prod_{i = 1}^{k} (u_{i}^{- 1} + u_{i} X^{2^{i - 1}}), \end{array}

and evaluating it at x, i.e.,

\begin{array}{r} b^{(0)} = ⟨ s, b ⟩ = g (x, u_{1}, u_{2}, \dots, u_{k}) . \end{array}

The above can be computed in logarithmic time. However, computing

G^{(0)} = ⟨ s, G ⟩

still requires a linear-time (

O (d)

) multiscalar multiplication (MSM). However as discussed in the paper, this cost can be amortized by delegating all these step (iv) verifications at the last step of

m

IPA verifications. We discuss more on this in the subsequent section.

Q: How to check

b^{(0)} = ⟨ s, b ⟩ = g (x, u_{1}, u_{2}, \dots, u_{k})

?
A: Rather than giving a formal inductive proof, we give a small example for a better intuition. Let

d = 4

b = b^{(2)} = (b_{0}, b_{1}, b_{2}, b_{3})

. The round challenges are

u_{2}

and

u_{1}

. Then for the first round,

\begin{aligned} b^{(1)} & = b_{l o}^{(2)} * u_{2}^{- 1} + b_{h i}^{(2)} * u_{2}, \\ = (b_{0}, b_{1}) u_{2}^{- 1} + (b_{2}, b_{3}) u_{2}, \\ = (b_{0} u_{2}^{- 1} + b_{2} u_{2}, b_{1} u_{2}^{- 1} + b_{3} u_{2}) . \end{aligned}

And for the next and the last round we have,

\begin{aligned} b^{(0)} & = b_{l o}^{(1)} * u_{1}^{- 1} + b_{h i}^{(1)} * u_{1}, \\ = (b_{0} u_{2}^{- 1} + b_{2} u_{2}) u_{1}^{- 1} + (b_{1} u_{2}^{- 1} + b_{3} u_{2}) u_{1}, \\ = b_{0} u_{1}^{- 1} u_{2}^{- 1} + b_{1} u_{1} u_{2}^{- 1} + b_{2} u_{1}^{- 1} u_{2} + b_{3} u_{1} u_{2}, \\ = ⟨ (u_{1}^{- 1} u_{2}^{- 1}, u_{1} u_{2}^{- 1}, u_{1}^{- 1} u_{2}, u_{1} u_{2}), (b_{0}, b_{1}, b_{2}, b_{3}) ⟩, \\ = ⟨ s, b ⟩ . \end{aligned}

Similarly we can show that

G^{(0)} = ⟨ s, G ⟩

. Next lets verify

b^{(0)} = g (x, u_{1}, u_{2}, \dots, u_{k})

\begin{aligned} g (x, u_{1}, u_{2}) & = \prod_{i = 1}^{2} (u_{i}^{- 1} + u_{i} x^{2^{i - 1}}) \\ = (u_{1}^{- 1} + u_{1} x) (u_{2}^{- 1} + u_{2} x^{2}) \\ = u_{1}^{- 1} u_{2}^{- 1} + u_{1} u_{2}^{- 1} x + u_{1}^{- 1} u_{2} x^{2} + u_{1} u_{2} x^{3} . \end{aligned}

Given

x

the evaluation point, we have

b = (b_{0}, b_{1}, b_{2}, b_{3}) = (1, x, x^{2}, x^{3})

, which verifies the claim.

Step (iv)

In step (iv), the prover proves knowledge of

a^{(0)}

such that

\begin{array}{r} C^{(0)} = [a^{(0)}] (G^{(0)} + [b^{(0)}] U), \end{array}

holds. The paper uses a generalized Schnorr protocol to achieve this.
(a) The prover samples random

d \in F_{p}

. Then she computes

R ≜ [d] (G^{(0)} + [b^{(0)}] U)

. The prover sends

R

to the verifier.
(b) The verifier samples a random challenge

c

from

F_{p}

and sends it to the prover.
( c) The prover computes

z = a^{(0)} c + d

and sends it to the verifier. The verifier accepts if

\begin{array}{r} [c] C^{(0)} + R \overset{?}{=} [z] (G^{(0)} + [b^{(0)}] U) . \end{array}

However, as we are not concerned with zero knowledge, in code the prover directly reveals

a^{(0)}

as a part of the proof.

Summary of IPA-PCS

Let the underlying field be

F_{p}

, the number of points on the curve is

r

Public inputs:
$G$ ,
$b$ ,
$(C, x, v)$ .
Prover's witness:
$a$ .
Proof:
$(L, R, a^{(0)})$ .
Verifier's work:

Compute:
$C^{'} = C + [v] U$ .
Compute:
$C^{(0)} = C^{'} + \sum_{j = 1}^{k} ([u_{j}^{2}] L_{j}) + \sum_{j = 1}^{k} ([u_{j}^{- 2}] R_{j})$ .
Check:
$b^{(0)} \overset{?}{=} g (x, u_{1}, u_{2}, \dots, u_{k}) = \prod_{i = 1}^{k} (u_{i}^{- 1} + u_{i} x^{2^{i - 1}})$ (field operation in
$F_{r}$ as we need to check modulo
$r$ for all quantities).
Check:
$G^{(0)} \overset{?}{=} ⟨ s, G ⟩$ (group operation in
$F_{p}$ as the underlying
$x$ and
$y$ co-ordinates are the elements of the field
$F_{p}$ ).
Check:
$C^{(0)} \overset{?}{=} [a^{(0)}] (G^{(0)} + [b^{(0)}] U)$ .

Accumulation of IPA-PCS and Recursive Process in Aztec 3

The below idea was described by Zac in Istanbul.

In the diagram below, we sketch the idea of recursive process in Aztec 3. Suppose circuit

A

and

B

operate over the BN254 curve and circuit

C

operates over the Grumpkin curve. As depicted in the diagram, let the BN254 curve be designed over

F_{p}

and the number of points in the elliptic curve group is

r

. As a result, operations over

F_{p}

is expensive and operations over

F_{r}

is cheap.

For the Grumkin curve, the opposite is true, i.e., it is designed over

F_{r}

and the number of points in the elliptic curve group is

p

. As a result, operations over

F_{r}

is expensive and operations over

F_{p}

is cheap.

Note: In the code, we refer a scalar in the field

F_{r}

as barretenberg::fr or grumpkin::fq. Also a scalar in the field

F_{q}

is referred as barretenberg::fq or grumpkin::fr.

Image Not Showing Possible Reasons

The image file may be corrupted
The server hosting the image is unavailable
The image path is incorrect
The image format is not supported

Learn More →

Suppose circuit

A

produces a IPA proof

Π_{A}

and circuit

B

verifies it i.e., it produces a proof

Π_{B}

which attests that

Π_{A}

is verified successfully. As discussed in the previous section, to verify

Π_{A}

, circuit

B

needs to perform

Field opeartions in
$F_{r}$ (step 3 in the above section).
Group operations in
$F_{p}$ (step 4 in the above section).
As mentioned above, the second operation is very expensive for circuit
$B$ . The idea is to delegate step 2 in the following way.

We construct another circuit

C

over the Grumpkin curve, which accumulates

m

(say)

Π_{A}

proofs and produces another IPA proof that linear MSMs of all

Π_{A}

s are computed correctly. To elaborate on this, let

G_{1}^{(0)}, G_{2}^{(0)}, \dots, G_{m}^{(0)}

be the

m

group elements of

m

IPA proofs. As described in Section 3.2 of the Halo paper, checking the correctness of these quantities can be batched by taking a linear combination of these elements and calling the IPA once.

Now circuit

B

needs to fully verify

Π_{C}

. However as circuit

C

is defined over the Grumpkin curve instead of the BN254 curve, circuit

B

needs to do,

Field opeartions in
$F_{p}$ (step 3 in the above section),
Group operations in
$F_{r}$ (step 4 in the above section),
which are cheaper than group operations in
$F_{p}$ for circuit
$B$ as it is designed over the BN254 curve (designed over
$F_{p}$ , # points
$= r$ ).

Optimizations:

There can be some optimizations over the above protocol which follows the Halo paper. We write them below.

(1)

In the above protocol, in the

k

rounds, the prover computes

\begin{aligned} a^{(j - 1)} & = a_{l o}^{(j)} * u_{j} + a_{h i}^{(j)} * u_{j}^{- 1}, \\ b^{(j - 1)} & = b_{l o}^{(j)} * u_{j}^{- 1} + b_{h i}^{(j)} * u_{j}, \\ G^{(j - 1)} & = G_{l o}^{(j)} * u_{j}^{- 1} + G_{h i}^{(j)} * u_{j} . \end{aligned}

Instead of the above, we define the quantities for the next round as

\begin{aligned} a^{(j - 1)} & = a_{l o}^{(j)} + a_{h i}^{(j)} * u_{j}, \\ b^{(j - 1)} & = b_{l o}^{(j)} + b_{h i}^{(j)} * u_{j}^{- 1}, \\ G^{(j - 1)} & = G_{l o}^{(j)} + G_{h i}^{(j)} * u_{j}^{- 1} . \end{aligned}

This was originally proposed in Figure 3 of the Halo Infinite paper. As we can see, this reduces the number of scalar multiplication by the prover. As a result, For the

(k - 1)

th round, we have

\begin{aligned} C^{(k - 1)} & = ⟨ a^{(k - 1)}, G^{(k - 1)} ⟩ + [⟨ a^{(k - 1)}, b^{(k - 1)} ⟩] U \\ = ⟨ a_{l o}^{(k)} + a_{h i}^{(k)} * u_{k}, G_{l o}^{(k)} + G_{h i}^{(k)} * u_{k}^{(- 1)} ⟩ \\ + [⟨ a_{l o}^{(k)} + a_{h i}^{(k)} * u_{k}, b_{l o}^{(k)} + b_{h i}^{(k)} * u_{k}^{- 1} ⟩] U \\ = (⟨ a_{l o}^{(k)}, G_{l o}^{(k)} ⟩ + ⟨ a_{h i}^{(k)}, G_{h i}^{(k)} ⟩) + u_{k}^{- 1} (⟨ a_{l o}^{(k)}, G_{h i}^{(k)} ⟩ + [⟨ a_{l o}^{(k)}, b_{h i}^{(k)} ⟩] U) \\ + u_{k} (⟨ a_{h i}^{(k)}, G_{l o}^{(k)} ⟩ + [⟨ a_{h i}^{(k)}, b_{l o}^{(k)} ⟩] U) + [⟨ a_{l o}^{(k)}, b_{l o}^{(k)} ⟩ + ⟨ a_{h i}^{(k)}, b_{h i}^{(k)} ⟩] U \\ = ⟨ a^{(k)}, G^{(k)} ⟩ + [u_{k}^{- 1}] L_{k} + [u_{k}] R_{k} + [⟨ a^{(k)}, b^{(k)} ⟩] U \\ = C^{(k)} + [u_{k}^{- 1}] L_{k} + [u_{k}] R_{k} . \end{aligned}

Following the same approach, we can inductively write,

\begin{array}{r} (5) & C^{(0)} = C^{'} + \sum_{j = 1}^{k} ([u_{j}^{- 1}] L_{j}) + \sum_{j = 1}^{k} ([u_{j}] R_{j}) . \end{array}

Note: It also changes the

s

and

g (X)

. Below we compute them.

To compute

s

and

g (X, u_{1}, u_{2}, \dots, u_{k})

such that

b^{(0)} = ⟨ s, b ⟩ = g (x, u_{1}, u_{2}, \dots, u_{k})

. Again, rather than giving a formal inductive proof, we give a small example for a better intuition.
Let

d = 4

b = b^{(2)} = (b_{0}, b_{1}, b_{2}, b_{3})

. The round challenges are

u_{2}

and

u_{1}

. Then for the first round,

\begin{aligned} b^{(1)} & = b_{l o}^{(2)} + b_{h i}^{(2)} * u_{2}^{- 1}, \\ = (b_{0}, b_{1}) + (b_{2}, b_{3}) u_{2}^{- 1}, \\ = (b_{0} + b_{2} u_{2}^{- 1}, b_{1} + b_{3} u_{2}^{- 1}) . \end{aligned}

And for the next and the last round we have,

\begin{aligned} b^{(0)} & = b_{l o}^{(1)} + b_{h i}^{(1)} * u_{1}^{- 1}, \\ = (b_{0} + b_{2} u_{2}^{- 1}) + (b_{1} + b_{3} u_{2}^{- 1}) u_{1}^{- 1}, \\ = b_{0} + b_{1} u_{1}^{- 1} + b_{2} u_{2}^{- 1} + b_{3} u_{1}^{- 1} u_{2}^{- 1}, \\ = ⟨ (1, u_{1}^{- 1}, u_{2}^{- 1}, u_{1}^{- 1} u_{2}^{- 1}), (b_{0}, b_{1}, b_{2}, b_{3}) ⟩ . \end{aligned}

From this we have

s = (1, u_{1}^{- 1}, u_{2}^{- 1}, u_{1}^{- 1} u_{2}^{- 1})

. For general

k

, we get,

\begin{aligned} s = ( & u_{1}^{0} * u_{2}^{0} * \dots * u_{k}^{0}, \\ u_{1}^{- 1} * u_{2}^{0} * \dots * u_{k}^{0}, \\ u_{1}^{0} * u_{2}^{- 1} * \dots * u_{k}^{0}, \\ u_{1}^{- 1} * u_{2}^{- 1} * \dots * u_{k}^{0}, \\ ⋮ \\ u_{1}^{- 1} * u_{2}^{- 1} * \dots * u_{k}^{- 1}) . \end{aligned}

Next lets compute

g (x, u_{1}, u_{2}, \dots, u_{k})

such that

b^{(0)} = g (x, u_{1}, u_{2}, \dots, u_{k})

. By observation we have (by change in variable in the previous equation)

g (x, u_{1}, u_{2}) = \prod_{i = 1}^{k} (1 + u_{i}^{- 1} x^{2^{i - 1}})

. For the example, we verify this below,

\begin{aligned} g (x, u_{1}, u_{2}) & = \prod_{i = 1}^{2} (1 + u_{i}^{- 1} x^{2^{i - 1}}) \\ = (1 + u_{1}^{- 1} x) (1 + u_{2}^{- 1} x^{2}) \\ = 1 + u_{1}^{- 1} x + u_{2}^{- 1} x^{2} + u_{1}^{- 1} u_{2}^{- 1} x^{3} . \end{aligned}

Given

x

the evaluation point, we have

b = (b_{0}, b_{1}, b_{2}, b_{3}) = (1, x, x^{2}, x^{3})

, which verifies the claim.

References

Halo paper (https://eprint.iacr.org/2019/1021.pdf).
Halo Infinite paper (https://eprint.iacr.org/2020/1536.pdf)
ZK Hack whiteboard session (https://www.youtube.com/watch?v=RaEs5mnXIhY)

IPA Commitment Scheme Specification

tags: aztec-3, honk

How Does the IPA PCS Work?

Steps (ii) and (iii)

Step (iv)

Summary of IPA-PCS

Accumulation of IPA-PCS and Recursive Process in Aztec 3

Optimizations:

(1)

References

Read more

Barretenberg Project: Implementation of the Simplified Plonk

Notes on Plonk Prover's and Verifier's algorithm

tags: `aztec-3, honk`