Introducing plonkit

TL;DR

Plonkit is a zkSNARK toolkit to work with Circom, a developer-friendly ZKP circuit language, in PLONK proof system. It allows generating proof, verifying and exporting verifier smart contract.

The motivation of plonkit

To date, PLONK is one of the most performant zk-SNARKS proof systems in terms of proving time and proof size. As explained by Vitalik Buterin, by being benefited from “universal and updateable” setup, PLONK is more secure when compared to Groth16, without introducing much performance loss.

However, it is inefficient to write circuits in pure C++/Rust/… , which requires writing a lot of constraints by hand. By using developer-friendly Circom DSL, people can then write circuits more efficiently and more conveniently. Aiming at bringing PLONK to Circom ecosystem, plonkit is designed. 1

Functionalities

The functionalities of plonkit include:

  • Local Structured-Reference-String (SRS) setup
  • Verification Key Generation (corresponding to a given circuit)
  • Proof Generation
  • Proof Verfication
  • Verifier Smart Contract Generation
  • Proof Aggregation

Local SRS setup

To export a verification key and to generate a proof (both explained later), we need a Structured-Reference-String. In test_poseidon_plonk.sh, we provide a download link 2 for a SRS file previously set up. According to matter-labs, this SRS file is parsed from AZTEC’s ignition setup.

For the convenience for testing, we add the support for genenrating SRS locally.

Verification Key Generation

Users can export a verification key for a circuit. The verification key is needed for future proof verification.

Proof Generation

A prover can generate a proof proving he knows a witness satisfying the circuit.

Proof Verfication

Proof verfication is to verified a proof using a verification key.

Verifier Smart Contract Generation

Users can generate a verifier smart contract based on a verification key, then a proof can be verified on EVM using this smart contract.

Proof Aggregation

Plonkit wraps up recursive_aggregation_circuit to achieve proof aggregation. Proof aggregation is based on “Recursive Proof Composition” described in Halo paper.

Some points worth noting (in the following explanations “we” stands for both “plonkit” and recursive_aggregation_circuit):

  • Unlike Halo, we don’t use cyclic curves but simulate base field operations 3, because on Ethereum we only have one curve (BN_254).
  • We aggregate multiple proof into an aggregated proof in one step, instead of iterating and aggregating one by one.
  • We don’t check the pairing in the circuit. Instead, we aggregate the pairing points and check the pairing in smart contract.

Workflow / Usecase

The diagram below demonstrates a typical workflow of using plonkit:

plonkit

The test_poseidon_plonk.sh script is also a comprehensive example of the whole workflow.

Acknowledgements

Thanks the great work of these teams/individuals!

Try out plonkit here and have fun!


  1. By the time of starting plonkit project, Circom/snarkJS didn’t support PLONK but it does now. Still, proving in plonkit is more efficient than in snarkJS (plonkit uses Rust and snarkJS uses JS, and their PLONK implementations are different), whereas snarkJS can be run in browsers but plonkit cannot.

  2. Taken from https://github.com/matter-labs/zksync/blob/master/infrastructure/zk/src/run/run.ts#L77

  3. We simulate base field elements as “limb”s.