[Guest: Barry Whitehat] PLONK & the Future of ZK
Descriptionβ
In this session, Barry Whitehat discusses the next generation of ZKPs including Plookup and recursive ZKPs, and what is possible with next generation of zktooling.
π A commitment scheme allows you to publicly publish a value (called a commitment) that binds you to some message without revealing the message itself. A polynomial commitment allows you to commit to a polynomial such that someone else can verify the claimed evaluations of the committed polynomial. A polynomial commitment can be thought of as committing to a list of numbers (i.e. a polynomialβs coefficients).
The construction of ZK proof systems rely on some form of generated randomness (i.e. public parameters), but it is crucial that this randomness remains secret and cannot be re-created β otherwise, the security of the system would be compromised. In practice, trusted setup is a way for many parties to contribute to such secret randomness and thus the security of a cryptographic protocol. Each party contributes their own secret value to the trusted setup process and doesnβt tell anyone else what their contribution was.
A polynomial opening is created using public parameters from the trusted setup + polynomial commitments + elliptic curve pairings. This opening can be used to build constraints and check public inputs. For example, to build the constraint (where , , and are polynomials created by the prover), the prover first commits to , , and using polynomial commitments. Then, the verifier sends a random value and asks the prover for polynomial openings of , , and at . The verifier verifies that by checking . This is possible due to the Schwartz Zippel lemma, which essentially says that checking one point of the polynomial is equivalent to checking all points on the polynomial with high probability.
Why is all of this important? In ZK protocols, the information you want to prove is encoded into a polynomial. The goal of the prover is to show that it knows some secret polynomial that evaluates to 0 for specific values chosen by the verifier (which are encoded as another polynomial). In other words, the prover needs to show that this secret polynomial has certain roots. The prover does this by showing it knows a quotient polynomial such that if the secret polynomial is divided by , the result is the polynomial provided by the verifier. The ZK part comes from the fact that we are using some pretty magical math tools like pairings and the power of collective security from the trusted setup!
In recent years, ZK proof systems have been modified for different use cases. Plonk is a highly efficient and general-purpose zk-SNARK proof system that uses Plookup β which translates polynomials into pre-computed lookup tables for fast computation. Other extensions include ultra plonk, mobile proofs, and recursive proofs.
Slides Link(s)β
https://docs.google.com/presentation/d/1YwT_x2LI7X3izMiueHhnCsfNvnCHGcHAirQwsqNfzf8/edit?usp=sharing
Additional resourcesβ
For more explanation on PLONK, check out Vitalik's blog post.
Check-in Questionsβ
(1) Forging Polynomials: Let's suppose the prover didn't commit to a polynomial before the verifier sends evaluation points. What is problematic about this construction?
(2) Role of random value : Why does the verifier send a random value to the prover to check that the constraint is satisfied? Why is it important that is random?
Sample Answers
(1) Forging Polynomials: The prover needs to show that they know some polynomial that satisfies some constraints without revealing the polynomial itself. To show proof that the polynomial satisfies these constraints, the prover must provide polynomial openings which require evaluations at points the verifier sends. Without committing to the polynomial beforehand, the prover could simply construct a polynomial that satisfies the constraints at the given evaluation points β and thus forge a proof that the verifier accepts.
(2) Role of random value : The verifier generates a random value to check that the evaluations of the , , and polynomials at are equivalent to . The reason the verifier need to send a random value is so the prover doesnβt know ahead of time β otherwise, the prover could falsify the proof by choosing polynomials (different than the ones they committed to) that also satisfy .