Introducing plonkitOctober 20, 2021
The motivation of plonkit
To date, PLONK is one of the most performant zk-SNARKS proof systems in terms of proving time and proof size. As explained by Vitalik Buterin, by being benefited from “universal and updateable” setup, PLONK is more secure when compared to Groth16, without introducing much performance loss.
However, it is inefficient to write circuits in pure C++/Rust/… , which requires writing a lot of constraints by hand. By using developer-friendly Circom DSL, people can then write circuits more efficiently and more conveniently. Aiming at bringing PLONK to Circom ecosystem, plonkit is designed. 1
The functionalities of plonkit include:
- Local Structured-Reference-String (SRS) setup
- Verification Key Generation (corresponding to a given circuit)
- Proof Generation
- Proof Verfication
- Verifier Smart Contract Generation
- Proof Aggregation
Local SRS setup
To export a verification key and to generate a proof (both explained later), we need a Structured-Reference-String. In test_poseidon_plonk.sh, we provide a download link 2 for a SRS file previously set up. According to matter-labs, this SRS file is parsed from AZTEC’s ignition setup.
For the convenience for testing, we add the support for genenrating SRS locally.
Verification Key Generation
Users can export a verification key for a circuit. The verification key is needed for future proof verification.
A prover can generate a proof proving he knows a witness satisfying the circuit.
Proof verfication is to verified a proof using a verification key.
Verifier Smart Contract Generation
Users can generate a verifier smart contract based on a verification key, then a proof can be verified on EVM using this smart contract.
Some points worth noting (in the following explanations “we” stands for both “plonkit” and recursive_aggregation_circuit):
- Unlike Halo, we don’t use cyclic curves but simulate base field operations 3, because on Ethereum we only have one curve (BN_254).
- We aggregate multiple proof into an aggregated proof in one step, instead of iterating and aggregating one by one.
- We don’t check the pairing in the circuit. Instead, we aggregate the pairing points and check the pairing in smart contract.
Workflow / Usecase
The diagram below demonstrates a typical workflow of using plonkit:
The test_poseidon_plonk.sh script is also a comprehensive example of the whole workflow.
Plonkit builds on top of the awesome libraries written by matter-labs:
- Plonkit also borrows some “R1CSFile reader” codes from zkUtil.
- Furthermore, thanks to the great work and effort from the team behind Circom, developers can benefit from a friendly ZKP development language.
Thanks the great work of these teams/individuals!
Try out plonkit here and have fun!
By the time of starting plonkit project, Circom/snarkJS didn’t support PLONK but it does now. Still, proving in plonkit is more efficient than in snarkJS (plonkit uses Rust and snarkJS uses JS, and their PLONK implementations are different), whereas snarkJS can be run in browsers but plonkit cannot.↩
We simulate base field elements as “limb”s.↩