Plonk By Hand

Reference

Codes

All the codes below are python with SageMath.

K = GF(101)
# y^2=x^3+3
E = EllipticCurve(K,[0,0,0,0,3])

G = E(1,2) # <G> is subgroup of order 17, 17*G=inf
for i in range(1,18):
    print(i*G)

(1 : 2 : 1)
(68 : 74 : 1)
(26 : 45 : 1)
(65 : 98 : 1)
(12 : 32 : 1)
(32 : 42 : 1)
(91 : 35 : 1)
(18 : 49 : 1)
(18 : 52 : 1)
(91 : 66 : 1)
(32 : 59 : 1)
(12 : 69 : 1)
(65 : 3 : 1)
(26 : 56 : 1)
(68 : 27 : 1)
(1 : 99 : 1)
(0 : 1 : 0)

embedding degree

The degree of the extension field of characteristic

p

that contains every point of order

r

on the elliptic curve is the embedding degree. It has a simple formula: the embedding degree is the smallest number

k

such that

r | p^{k} - 1

. Since

600 * 17 = (101^{2} - 1) / 17

, the embedding degree for

E (F_{101})

2

If r is relatively prime to the charactersitc p of the field, then there will be exactly

r^{2}

points of order r in

F_{p^{k}}

. Thus, there are total of

17^{2}

points on the elliptic curve

E (F_{101^{2}})

extension field

Find an irreducible polynomial of degree

2

F_{101}

, e.g.

x^{2} + 2

. Let

u

be a solution, then all the points in

F_{101^{2}}

can be written as

a + b \cdot u, \forall a, b \in F_{101}

# use the twisted curve technique from pairing for beginner
# to get another generator of order 17 (G2)
# (36, 31*u) 
mod(36^3,101)+3  == mod(31^2,101)*(-2)  # x^3+3 = y^2 mod 101

True

# define field extention F_{101^2} over F_101 with irreducible poly x^2+2
del(x)
x=var("x")
K2.<u> = GF(101^2, modulus=x^2 + 2,name='x')
# elliptic curve over F_{101^2}
E2=EllipticCurve(K2,[0,0,0,0,3])
P=E2(36,31*u)
2*P

(90 : 82*u : 1)

trusted setup

a circuit with

n

gates requires an SRS with at least

n + 5

elements as below

G_{1}, s \cdot G_{1}, \dots, s^{n + 2} \cdot G_{1}, G_{2}, s \cdot G_{2}

suppose secret random number

s = 2

, and

n = 4

we have srs:

(1, 2), (68, 74), (65, 98), (18, 49), (1, 99), (68, 27), (65, 3), (31, 36 u), (90, 82 u)

Statement

(Pythagorean Triangle) Find

(x_{1}, x_{2}, x_{3})

such that

x_{1}^{2} + x_{2}^{2} = x_{3}^{2}

General form of plonk circuit is

q_{L} a + q_{R} b + q_{O} c + q_{M} a b + q_{C} = 0

The Pythagorean circuit becomes

0 \cdot a_{1} + 0 \cdot b_{1} + (- 1) \cdot c_{1} + 1 \cdot a_{1} b_{1} + 0 = 0 0 \cdot a_{2} + 0 \cdot b_{2} + (- 1) \cdot c_{2} + 1 \cdot a_{2} b_{2} + 0 = 0 0 \cdot a_{3} + 0 \cdot b_{3} + (- 1) \cdot c_{3} + 1 \cdot a_{3} b_{3} + 0 = 0 1 \cdot a_{4} + 1 \cdot b_{4} + (- 1) \cdot c_{4} + 0 \cdot a_{4} b_{4} + 0 = 0

In matrix form we have:

a	b	c	q_L	q_R	q_O	q_M
3	3	9	0	0	-1	1
4	4	16	0	0	-1	1
5	5	25	0	0	-1	1
9	16	25	1	1	-1	0

where

a, b, c

are advice columns in halo2, and the rest five columns are selectors (fixed column)

polynomial interpolation

We need subgroup of order

4

to interpolate each column, and luckily, the scalar field

F_{17}

has root of unity

ω = 4

. Thus the subgroup is

H

, and we can split the non-zero elements into cosets.

H = (ω^{0}, ω^{1}, ω^{2}, ω^{4}) = (1, 4, 16, 13) k_{1} H = 2 H = (2, 8, 15, 9) k_{2} H = 3 H = (3, 12, 14, 5)

For polynomial

f (x) = a + b x + c x^{2} + d x^{3}

f (ω^{i}) = (1, ω^{i}, ω^{2 i}, ω^{3 i}) \cdot (a, b, c, d)^{T}

. Define matrix

Ω = (ω^{i j})_{i, j}

. By inverse FFT, we have

(a, b, c, d) = Ω^{- 1} \cdot (f (ω^{0}), f (ω^{1}), f (ω^{2}), f (ω^{3}))^{T} = \frac{1}{4} (ω^{- i j})_{i, j} \cdot (f (ω^{0}), f (ω^{1}), f (ω^{2}), f (ω^{3}))^{T}

Ω^{- 1} = \begin{matrix} \frac{1}{4} \end{matrix} \cdot [\begin{matrix} 1 & 1 & 1 & 1 \\ 1 & 13 & 16 & 4 \\ 1 & 16 & 1 & 16 \\ 1 & 4 & 16 & 13 \end{matrix}] = [\begin{matrix} 13 & 13 & 13 & 13 \\ 13 & 16 & 4 & 1 \\ 13 & 4 & 13 & 4 \\ 13 & 1 & 4 & 16 \end{matrix}]

Notice

(ω^{- i j})_{i, j}

is "conjugate transpose" of

Ω

, not transpose.

omega=matrix(GF(17),[[1,1,1,1],[1,4,16,13],[1,16,1,16],[1,13,16,4]])
omega.inverse()

[13 13 13 13]
[13 16  4  1]
[13  4 13  4]
[13  1  4 16]

Thus all the polynomials for each row are:

f_{a} = 1 + 13 x + 3 x^{2} + 3 x^{3} f_{b} = 7 + 3 x + 14 x^{2} + 13 x^{3} f_{c} = 6 + 5 x + 11 x^{2} + 4 x^{3} q_{L} = 13 + x + 4 x^{2} + 16 x^{3} q_{R} = 13 + x + 4 x^{2} + 16 x^{3} q_{O} = 16 q_{M} = 5 + 16 x + 13 x^{2} + x^{3} q_{C} = 0

copy constraint

From

x_{1}^{2} + x_{2}^{2} = x_{3}^{3}

, we have

6

constraints:

a_{1} = b_{1} = x_{1} a_{2} = b_{2} = x_{2} a_{3} = b_{3} = x_{3} a_{4} = c_{1} b_{4} = c_{2} c_{4} = c_{3} (a_{1}, b_{1}), (a_{2}, b_{2}), (a_{3}, b_{3}), (a_{4}, c_{1}), (b_{4}, c_{2}), (c_{4}, c_{3})

encode permutation from copy constraint as polynomial

If we use

H = [1, 4, 16, 13]

to define the values on cell

a

k_{1} H = [2, 8, 15, 9]

to define values on cell

b

k_{2} H = [3, 12, 14, 5]

to label values on cell

c

. The only requirement here is that these values are unique. Then, the

6

copy constraints defined permutaion on these values:

(1, 2) (4, 8) (16, 15) (13, 3) (9, 12) (14, 5)

. And we can encode them as polynomials:

S_{σ_{1}} (x) = 7 + 13 x + 10 x^{2} + 6 x^{3} S_{σ_{2}} (x) = 4 + 13 * x^{2} + x^{3} S_{σ_{3}} (x) = 6 + 7 x + 3 x^{2} + 14 x^{3}

# fine the polynomial by apply inverse FFT
H=[1,4,16,13] # values of S_{sigma1}(x) before permutation
H1=[2,8,15,9] # values of S_{sigma2}(x) before permutation
H2=[3,12,14,5] 
perm = Permutation('(1,2)(16,15)(4,8)(13,3)(9,12)(14,5)') # permutation on the evaluation domain of polynomials
val = [[perm(i)] for i in H] # values of S_{sigma1}(x) after permutation
val1 = [[perm(i)] for i in H1] # values of S_{sigma2}(x) after permutation
val2 = [[perm(i)] for i in H2]
p=omega.inverse()*matrix(GF(17),val)
p1=omega.inverse()*matrix(GF(17),val1)
p2=omega.inverse()*matrix(GF(17),val2)
print(p.transpose())
print(p1.transpose())
print(p2.transpose())

[ 7 13 10  6]
[ 4  0 13  1]
[ 6  7  3 14]

# check the polynomial evaluation on [1,omega,omega^2,omega^3]
perm = Permutation('(1,2)(16,15)(4,8)(13,3)(9,12)(14,5)')
H=[1,4,16,13]
H1=[2,8,15,9]
H2=[3,12,14,5] 
R.<t>=PolynomialRing(GF(17))

p1=7+13*t+10*t^2+6*t^3
l1=[int(p1(x)) for x in H]
print(l1,[perm(i) for i in H]) # should equal

p2=4+13*t^2+t^3
l2=[int(p2(x)) for x in H]
print(l2,[perm(i) for i in H1]) # should equal

p3=6+7*t+3*t^2+14*t^3
l3=[int(p3(x)) for x in H]
print(l3,[perm(i) for i in H2])

[2, 8, 15, 3] [2, 8, 15, 3]
[1, 4, 16, 12] [1, 4, 16, 12]
[13, 9, 5, 14] [13, 9, 5, 14]

Round 1

commit a,b,c
With

Z_{H} (x) = x^{4} - 1

, we have:

a (x) = (b_{1} x + b_{2}) \cdot Z_{H} (x) + f_{a} (x) b (x) = (b_{3} x + b_{4}) \cdot Z_{H} (x) + f_{b} (x) c (x) = (b_{5} x + b_{6}) \cdot Z_{H} (x) + f_{c} (x)

Generating random numbers in

F_{17}

, suppose we got

(b_{1}, b_{2}, b_{3}, b_{4}, b_{5}, b_{6}) = (7, 4, 11, 12, 16, 2)

. Then

a (x) = 14 + 6 x + 3 x^{2} + 3 x^{3} + 4 x^{4} + 7 x^{5} b (x) = 12 + 9 x + 14 x^{2} + 13 x^{3} + 12 x^{4} + 11 x^{5} c (x) = 4 + 6 x + 11 x^{2} + 4 x^{3} + 2 x^{4} + 16 x^{5}

Finally, we commit them with SRS

[a (x)] = [a (x)] \cdot (1, 2) = (91, 66) [b (x)] = (26, 45) [c (x)] = (91, 35)

def commit_to_curve(coeff, base):
    commitment = 0*base;
    s = 2 # secret value
    for i in range(len(coeff)):
        commitment += coeff[i]*(s^i*base)
    return commitment
a=[14,6,3,3,4,7]
b=[12,9,14,13,12,11]
c=[4,6,11,4,2,16]        
comm_a = commit_to_curve(a,G)
comm_b = commit_to_curve(b,G)
comm_c = commit_to_curve(c,G)
print(comm_a,comm_b,comm_c)

(91 : 66 : 1) (26 : 45 : 1) (91 : 35 : 1)

Round 2

Generate

(b_{7}, b_{8}, b_{9}) = (14, 11, 7) \in F_{17}

, get challenge

(β, γ) = (12, 13) \in F_{17}

, compute

z (x)

z (x) = (b_{7} x^{2} + b_{8} x + b_{9}) \cdot Z_{H} (x) + a c c (x) a c c_{0} = 1 a c c_{i} = a c c_{i - 1} \frac{(a_{i} + β ω^{i - 1} + γ) (b_{i} + β k_{1} ω^{i - 1} + γ) (c_{i} + β k_{2} ω^{i - 1} + γ)}{(a_{i} + β S_{σ_{1}} (ω^{i - 1}) + γ) (b_{i} + β S_{σ_{2}} (ω^{i - 1}) + γ) (c_{i} + β S_{σ_{3}} (ω^{i - 1}) + γ)} a c c_{1} = 1 \cdot \frac{(3 + 12 * 1 + 13) (3 + 12 * 2 * 1 + 13) (9 + 12 * 3 * 1 + 13)}{(3 + 12 * 2 + 13) (3 + 12 * 1 + 13) (9 + 12 * 13 + 13)} = \frac{11 \cdot 6 \cdot 7}{6 \cdot 11 \cdot 8} = 3 a c c_{2} = 3 \cdot \frac{(4 + 12 * 4 + 13) (4 + 12 * 2 * 4 + 13) (16 + 12 * 3 * 4 + 13)}{(4 + 12 * 8 + 13) (4 + 12 * 4 + 13) (16 + 12 * 9 + 13)} = 3 \cdot \frac{14 \cdot 11 \cdot 3}{11 \cdot 14 \cdot 1} = 9 a c c_{2} = 9 \frac{(5 + 12 * 16 + 13) (5 + 12 * 2 * 16 + 13) (25 + 12 * 3 * 16 + 13)}{(5 + 12 * 15 + 13) (5 + 12 * 16 + 13) (25 + 12 * 5 + 13)} = 9 \cdot \frac{6 \cdot 11 \cdot 2}{11 \cdot 6 \cdot 13} = 4 a c c (x) = 16 x + 5 x^{2} + 14 x^{3} z (x) = (14 x^{2} + 11 x + 7) (x^{4} - 1) + 16 x + 5 x^{2} + 14 x^{3} = 10 + 5 x + 8 x^{2} + 14 x^{3} + 7 x^{4} + 11 x^{5} + 14 x^{6} [z (x)]_{1} = [z (x)] * (1, 2) = (32, 59)

# commitment of z(x)
omega=matrix(GF(17),[[1,1,1,1],[1,4,16,13],[1,16,1,16],[1,13,16,4]])
acc=omega.inverse()*matrix(GF(17),[[1],[3],[9],[4]])
coeff_z = [10,5,8,14,7,11,14]
commit_to_curve(coeff_z,G)

(32 : 59 : 1)

Round 3

Compute quotient challenge

α = 15 \in F_{17}

, compute quotient polynomial

t (x) = (a (x) b (x) q_{M} (x) + a (x) q_{L} (x) + b (x) q_{R} (x) + c (x) q_{O} (x) + P I (x) + q_{C} (x)) \frac{1}{Z_{H} (x)} + (a (x) + β x + γ) (b (x) + β k_{1} x + γ) (c (x) + β k_{2} x + γ) z (x) \frac{α}{Z_{H} (x)} - (a (x) + β S_{σ_{1}} (x) + γ) (b (x) + β S_{σ_{2}} (x) + γ) (c (x) + β S_{σ_{2}} (x) + γ) z (ω x) \frac{α}{Z_{H} (x)} + (z (x) - 1) L_{1} (x) \frac{α^{2}}{Z_{H} (x)}

Then split into degree

< n + 2

polynomials

t_{l o} (x), t_{m i d} (x), t_{h i} (x)

where

t (x) = t_{l o} (x) + t_{m i d} (x) + t_{h i} (x)

Output

[t_{l o} (x)], [t_{m i d} (x)], [t_{h i} (x)]

We have

t (x) = 11 x^{17} + 7 x^{16} + 2 x^{15} + 16 x^{14} + 6 * x^{13} + 15 x^{12} + x^{11} + 10 x^{10} + 2 x^{9} + x^{8} + 8 x^{7} + 13 x^{6} + 13 x^{5} + 9 x^{3} + 13 x^{2} + 16 x + 11 t_{l o} = 11 + 16 x + 13 x^{2} + 9 x^{3} + 13 x^{5} t_{m i d} = 13 + 8 x + x^{2} + 2 x^{3} + 10 x^{4} + x^{5} t_{h i} = 15 + 6 x + 16 x^{2} + 2 x^{3} + 7 x^{4} + 11 x^{5}

And the commitment

[t_{l o}]_{1} = (12, 32) [t_{m i d}]_{1} = (26, 45) [t_{h i}]_{1} = (91, 66)

omega=matrix(GF(17),[[1,1,1,1],[1,4,16,13],[1,16,1,16],[1,13,16,4]])
R.<x>=PolynomialRing(GF(17))
# Lagrange polynomial L_1(x)
L_1=omega.inverse()*matrix(GF(17),[[1],[0],[0],[0]])
l1=13+13*x+13*x^2+13*x^3
a = 14+6*x+3*x^2+3*x^3+4*x^4+7*x^5
b =12+9*x+14*x^2+13*x^3+12*x^4+11*x^5
c=4+6*x+11*x^2+4*x^3+2*x^4+16*x^5
q_L=13+x+4*x^2+16*x^3
q_R =13+x+4*x^2+16*x^3 
q_O = 16 
q_M=5+16*x+13*x^2+x^3
z = 10+5*x+8*x^2+14*x^3+7*x^4+11*x^5+14*x^6
zomega = 10+3*x+9*x^2+12*x^3+7*x^4+10*x^5+3*x^6
sig1=7+13*x+10*x^2+6*x^3
sig2=4+13*x^2+x^3
sig3=6+7*x+3*x^2+14*x^3
t1=(a*b*q_M + a*q_L +b*q_R+c*q_O)
t2=(a+12*x+13)*(b+12*2*x+13)*(c+12*3*x+13)*z*15
t3=(a+12*sig1+13)*(b+12*sig2+13)*(c+12*sig3+13)*zomega*15
t4=(z-1)*l1*15*15
final=t1+t2-t3+t4
t=final/(x^4-1)
t

11*x^17 + 7*x^16 + 2*x^15 + 16*x^14 + 6*x^13 + 15*x^12 + x^11 + 10*x^10 + 2*x^9 + x^8 + 8*x^7 + 13*x^6 + 13*x^5 + 9*x^3 + 13*x^2 + 16*x + 11

tlow=[11,16,13,9,0,13]
tmid=[13,8,1,2,10,1]
thi=[15,6,16,2,7,11]
tlow=commit_to_curve(tlow,G)
tmid=commit_to_curve(tmid,G)
thi=commit_to_curve(thi,G)
print(tlow,tmid,thi)

(12 : 32 : 1) (26 : 45 : 1) (91 : 66 : 1)

Round 4

Linearization. Compute evaluation challenge

ζ = 5 \in F_{19}

Compute opening evaluations

\bar{a} = a (ζ), \bar{b} = b (ζ), \bar{c} = c (ζ) \bar{S_{σ_{1}}} = S_{σ_{1}} (ζ), \bar{S_{σ_{2}}} = S_{σ_{2}} (ζ) \bar{t} = t (ζ) \bar{z_{ω}} = z (ω ζ)

Compute linearization polynomial (linear w.r.p commitment values):

r (x) = \bar{a} \bar{b} q_{M} (x) + \bar{a} q_{L} (x) + \bar{b} q_{R} (x) + \bar{c} q_{O} (x) + q_{C} (x) + α (\bar{a} + β ζ + γ) (\bar{b} + β k_{1} ζ + γ) (\bar{c} + β k_{2} ζ + γ) z (x) - α (\bar{a} + β \bar{S_{σ_{1}}} + γ) (\bar{b} + β \bar{S_{σ_{2}}} + γ) β \bar{z_{ω}} S_{σ_{3}} (x) + α^{2} z (x) L_{1} (ζ)

The definition of

r (x)

is not same as in plonk paper, where we removed all the constant terms when we do linearization. This can save one verifier scalar multiplication.

Compute linearization evaluation

\bar{r} = r (ζ)

. And output

\bar{a}, \bar{b}, \bar{c}, \bar{S_{σ_{1}}}, \bar{S_{σ_{2}}}, \bar{z_{ω}}, \bar{t}, \bar{r}

Supose

ζ = 5

, we have (I skip the calculation here, just copy from the blog):

\bar{a} = a (5) = 15, \bar{b} = 13, \bar{c} = 5, \bar{S_{σ_{1}}} = 1, \bar{S_{σ_{2}}} = 12, \bar{t} = 1, \bar{z_{ω}} = 15 r (x) = 16 x + 9 x^{2} + 13 x^{3} + 8 x^{4} + 15 x^{5} + 16 x^{6} \bar{r} = 15

Output

\bar{a} = 15, \bar{b} = 13, \bar{c} = 5 \bar{S_{σ_{1}}} = 1, \bar{S_{σ_{2}}} = 12 \bar{t} = 1 \bar{z_{ω}} = 15 \bar{r} = 15

Round 5

Compute opening challenge

v \in F_{19}

Compute opening proof polynomial

W_{ζ} (x)

W_{ζ} (x) = \begin{matrix} \frac{1}{x - ζ} \end{matrix} \cdot [\begin{matrix} t_{l o} (x) + ζ^{n + 2} t_{m i d} (x) + ζ^{2 n + 4} t_{h i} (x) - \bar{t} \\ + v (r (x) - \bar{r}) \\ + v^{2} (a (x) - \bar{a}) \\ + v^{3} (b (x) - \bar{b}) \\ + v^{4} (c (x) - \bar{c}) \\ + v^{5} (S_{σ_{1}} (x) - \bar{S_{σ_{1}}}) \\ + v^{6} (S_{σ_{2}} (x) - \bar{S_{σ_{2}}}) \end{matrix}]

Compute opening proof polynomial

W_{ζ ω} (x)

W_{ζ ω} (x) = \frac{z (x) - \bar{z_{ω}}}{x - ζ ω}

Output

[W_{ζ} (x)]_{1}, [W_{ζ ω} (x)]_{1}

Given

ζ = 5

, we have

[W_{ζ} (x)]_{1} = (91, 35), [W_{ζ ω} (x)]_{1} = (65, 98)

FF=GF(17)
omega=FF(4);zeta=FF(5)
v=FF(12);tbar=FF(1);abar=FF(15);bbar=FF(13);cbar=FF(5);
sig1bar=FF(1);sig2bar=FF(12);zomega=FF(15);rbar=FF(15)
R.<x>=PolynomialRing(GF(17))
tlow=11+16*x+13*x^2+9*x^3+13*x^5
tmid=13+8*x+x^2+2*x^3+10*x^4+x^5
thi=15+6*x+16*x^2+2*x^3+7*x^4+11*x^5
r=16*x+9*x^2+13*x^3+8*x^4+15*x^5+16*x^6
sig1=7+13*x+10*x^2+6*x^3
sig2=4+13*x^2+x^3
z = 10+5*x+8*x^2+14*x^3+7*x^4+11*x^5+14*x^6
term1=tlow+zeta^6*tmid+zeta^12*thi-tbar
term2=v*(r-rbar)
term3=v^2*(a-abar)+v^3*(b-bbar)+v^4*(c-cbar)
term4=v^5*(sig1-sig1bar)+v^6*(sig2-sig2bar)
Wz=(term1+term2+term3+term4)/(x-zeta)
Wzw=(z-zomega)/(x-zeta*omega)

wz=[16,13,2,9,3,5]
wzw=[13,14,2,13,2,14]
c1=commit_to_curve(wz,G)
c2=commit_to_curve(wzw,G)
print(c1,c2)

(91 : 35 : 1) (65 : 98 : 1)

Proof

π = ([a], [b], [c], [z], [t_{l o}], [t_{m i d}], [t_{h i}], [W_{ζ}], [W_{ζ ω}] \bar{a}, \bar{b}, \bar{c}, \bar{S_{σ_{1}}}, \bar{S_{σ_{2}}}, \bar{z_{ω}}, \bar{r})

In our case,

π = ((91, 66), (26, 45), (91, 35), (32, 59), (12, 32), (26, 45), (91, 66), (91, 35), (65, 98) 15, 13, 5, 1, 12, 15, 15)

Verify Preprocessing

[q_{M}] = (12, 69) [q_{L}] = (32, 42) [q_{R}] = (32, 42) [q_{O}] = (1, 99) [q_{C}] = \infty [s_{σ_{1}}] = (68, 74) [s_{σ_{2}}] = (65, 3) [s_{σ_{3}}] = (18, 49)

R.<x>=PolynomialRing(GF(17))
omega=matrix(GF(17),[[1,1,1,1],[1,4,16,13],[1,16,1,16],[1,13,16,4]])
qm=omega.inverse()*matrix(GF(17),[[1],[1],[1],[0]]) #[ 5 16 13  1]
commit_to_curve([ 5, 16, 13,  1],G) # [q_M]=(12,69)

(12 : 69 : 1)

Verifier Algorithm

Validate
$[a], [b], [c], [z], [t_{l o}], [t_{m i d}], [t_{h i}], [W_{ζ}], [W_{ζ ω}] \in G_{1}$
Validate
$\bar{a}, \bar{b}, \bar{c}, \bar{S_{σ_{1}}}, \bar{S_{σ_{2}}}, \bar{z_{ω}}, \bar{r} \in F_{17}$ .
Validate
$w_{i \in [l]} \in F_{17}$ (public inputs)
Compute zero polynomial evaluation:
$Z_{H} (ζ) = ζ^{n} - 1$ .
Compute
$L_{1} (ζ) = \frac{ζ^{n} - 1}{n (ζ - 1)}$
Compute public input polynomial evaluation:
$P I (ζ) = \sum_{i \in [l]} w_{i} L_{i} (ζ)$
Compute quotient polynomial evaluation:

$\bar{t} = \frac{\bar{r} + P I (ζ) - (\bar{a} + β \bar{S_{σ_{1}}} + γ) (\bar{b} + β \bar{S_{σ_{2}}} + γ) (\bar{c} + γ) α - L_{1} (ζ) α^{2}}{Z_{H} (ζ)}$
Compute first part of batched polynomial commitment. Define
$[D] = v [r (x)] + u [z]$ :

$[D] = \bar{a} \bar{b} v [q_{M}] + \bar{a} v [q_{L}] + \bar{b} v [q_{R}] + \bar{c} v [q_{O}] + v [q_{C}] + ((\bar{a} + β ζ + γ) (\bar{b} + β k_{1} ζ + γ) (\bar{c} + β k_{2} ζ + γ) α v + L_{1} (ζ) α^{2} v + u) [z] - (\bar{a} + β \bar{S_{σ_{1}}} + γ) (\bar{b} + β S_{σ_{2}} + γ) α v β \bar{z_{ω}} [S_{σ_{3}}]$
Compute full batched polynomial commitment

$[F] = [t_{l o}] + ζ^{n + 2} [t_{m i d}] + ζ^{2 n + 4} [t_{h i}] + [D] + v^{2} [a] + v^{3} [b] + v^{4} [c] + v^{5} [S_{σ_{1}}] + v^{6} [S_{σ_{2}}]$
Compute group encoded batch evaluation
$[E]$ :

$[E] = (\bar{t} + v \bar{r} + v^{2} \bar{a} + v^{3} \bar{b} + v^{4} \bar{c} + v^{5} \bar{S_{σ_{1}}} + v^{6} \bar{S_{σ_{2}}} + u \bar{z_{ω}}) \cdot [1]$
Batch validate all evaluations:

$e ([W_{ζ}] + u [W_{ζ ω}], [s]_{2}) = e (ζ [W_{ζ}] + u ζ ω [W_{ζ ω}] + [F] - [E], [1]_{2})$

Calculation

Let's check steps

9 - 11

for each of the polynomials. For example the terms with

u

e (u \cdot s \cdot [W_{ζ ω}], 1) \overset{?}{=} e (u ζ ω [W_{ζ ω}] + u [z] - u z (ω ζ), 1) e (u \cdot (s - ζ ω) [W_{ζ ω}], 1) \overset{?}{=} e (u (z (s) - z (ω ζ), 1) (s - ζ ω) \frac{z (s) - z (ζ ω)}{s - ζ ω} \overset{?}{=} z (s) - z (ω ζ)

Let's check

r (x)

, here we define

[W_{ζ}] = \frac{v (r (s) - r (ζ))}{s - ζ}

for simplicity:

e (s \cdot [W_{ζ}], 1) \overset{?}{=} e (ζ [W_{ζ}] + v \cdot r (s) - v \bar{r}, 1) e ((s - ζ) \cdot \frac{v (r (s) - r (ζ))}{s - ζ}, 1) \overset{?}{=} e (v (r (s) - r (ζ)), 1)

Let's check

t (x)

, here we define

[W_{ζ}] = \frac{t_{l o} (s) + ζ^{n + 2} t_{m i d} (s) + ζ^{2 n + 4} t_{h i} (s) - t (ζ)}{s - ζ}

for simplicity

e ((s - ζ) [W_{ζ}], 1) \overset{?}{=} e ([t_{l o}] + ζ^{n + 2} [t_{m i d}] + ζ^{2 n + 4} [t_{h i}] - \bar{t}, 1) e (t_{l o} (s) + ζ^{n + 2} t_{m i d} (s) + ζ^{2 n + 4} t_{h i} (s) - t (ζ), 1) \overset{?}{=} e (t_{l o} (s) + ζ^{n + 2} t_{m i d} (s) + ζ^{2 n + 4} t_{h i} (s) - t (ζ), 1)

The other terms are easy to check as well.

Verify with concret example

the blog only checks the points are on the curve, not check if in the subgroup
$G_{1}$ . However, in our case, we have the table of all elements of
$G_{1}$ , which is easy to compare the commitments with table.
just check the values are less than
$17$ .
skip, no public inputs.
$Z_{H} (ζ) = 12$
$L_{1} (ζ) = \frac{ζ^{n} - 1}{n (ζ - 1)} = 5$
skip, no public inputs.
$\bar{t} = 1$
$[D] = i n f$
$[F] = (68, 27)$
$[E] = (1, 2)$
$e ((32, 42), (36, 31 u)) \overset{?}{=} e ((12, 69), (90, 82 u))$

FF=GF(17)
zeta=FF(5)
#4.
zh=zeta^4-1
#5.
l1=(zeta^4-1)/(4*(zeta-1)) #l1=5
#7.
alpha=FF(15);beta=FF(12);gamma=FF(13)
[a,b,c,sig1,sig2,zw,r]=[FF(x) for x in [15,13,5,1,12,15,15]]
t=(r-(a+beta*sig1+gamma)*(b+beta*sig2+gamma)*(c+gamma)*alpha-l1*alpha^2)/zh

#8
zeta=5;alpha=15;beta=12;gamma=13;l1=5
[a,b,c,sig1,sig2,zw,r] = [15,13,5,1,12,15,15]
k1=2;k2=3;v=12;u=4;qm=E(12,69);ql=E(32,42);qr=E(32,42);qo=E(1,99)
ssig1=E(68,74);ssig2=E(65,3);ssig3=E(18,49)
z=E(32,59)
dn1=a*b*v*qm+a*v*ql+b*v*qr+c*v*qo
dn2a=(a+beta*zeta+gamma)*(b+beta*k1*zeta+gamma)*(c+beta*k2*zeta+gamma)*alpha*v+l1*alpha^2*v+u
dn2=dn2a*z
dn3a=(a+beta*sig1+gamma)*(b+beta*sig2+gamma)*a*v*beta*zw
dn3=dn3a*ssig3
D=dn1+dn2+dn3 # (0:1:0)=inf

#9.
n=4
[ca,cb,cc,cz,ctlo,ctmid,cthi,cwz,cwzw]=[E(91,66),E(26,45),E(91,35),E(32,59),E(12,32),E(26,45),E(91,66),E(91,35),E(65,98)]
F=ctlo+zeta^(n+2)*ctmid+zeta^(2*n+4)*cthi+D+v^2*ca+v^3*cb+v^4*cc+v^5*ssig1+v^6*ssig2
#10.
t=1
Es=t+v*r+v^2*a+v^3*b+v^4*c+v^5*sig1+v^6*sig2+u*zw
E0=Es*G
#11.
left1=cwz+u*cwzw
left2=2*G
w=4
right1=zeta*cwz+u*zeta*w*cwzw+F-E0
right2=G

# 11.
K = GF(101)
# y^2=x^3+3
E = EllipticCurve(K,[0,0,0,0,3])
# define field extention F_{101^2} over F_101 with irreducible poly x^2+2
# x is poluted so we need to reset them before define K2
del(x)
x=var("x")
K2.<u> = GF(101^2, modulus=x^2 + 2,name='x')
# elliptic curve over F_{101^2}
E2=EllipticCurve(K2,[0,0,0,0,3])
P=E2(36,31*u)
2*P

Plonk By Hand

Reference

Codes

Round 1

Round 2

Round 3

Round 4

Round 5

Proof

Verify Preprocessing

Verifier Algorithm

Calculation

Verify with concret example

tags: public plonk zkp

Read more

Barrett Reduction

Lookup argument for folding

Montgomery modular multiplication

MACI v1.0: top-up voice credits

tags: `public` `plonk` `zkp`