Introducing plonkit
October 20, 2021TL;DR
Plonkit is a zkSNARK toolkit to work with Circom, a developerfriendly ZKP circuit language, in PLONK proof system. It allows generating proof, verifying and exporting verifier smart contract.
The motivation of plonkit
To date, PLONK is one of the most performant zkSNARKS proof systems in terms of proving time and proof size. As explained by Vitalik Buterin, by being benefited from “universal and updateable” setup, PLONK is more secure when compared to Groth16, without introducing much performance loss.
However, it is inefficient to write circuits in pure C++/Rust/… , which requires writing a lot of constraints by hand. By using developerfriendly Circom DSL, people can then write circuits more efficiently and more conveniently. Aiming at bringing PLONK to Circom ecosystem, plonkit is designed. ^{1}
Functionalities
The functionalities of plonkit include:
 Local StructuredReferenceString (SRS) setup
 Verification Key Generation (corresponding to a given circuit)
 Proof Generation
 Proof Verfication
 Verifier Smart Contract Generation
 Proof Aggregation
Local SRS setup
To export a verification key and to generate a proof (both explained later), we need a StructuredReferenceString. In test_poseidon_plonk.sh, we provide a download link ^{2} for a SRS file previously set up. According to matterlabs, this SRS file is parsed from AZTEC’s ignition setup.
For the convenience for testing, we add the support for genenrating SRS locally.
Verification Key Generation
Users can export a verification key for a circuit. The verification key is needed for future proof verification.
Proof Generation
A prover can generate a proof proving he knows a witness satisfying the circuit.
Proof Verfication
Proof verfication is to verified a proof using a verification key.
Verifier Smart Contract Generation
Users can generate a verifier smart contract based on a verification key, then a proof can be verified on EVM using this smart contract.
Proof Aggregation
Plonkit wraps up recursive_aggregation_circuit to achieve proof aggregation. Proof aggregation is based on “Recursive Proof Composition” described in Halo paper.
Some points worth noting (in the following explanations “we” stands for both “plonkit” and recursive_aggregation_circuit):
 Unlike Halo, we don’t use cyclic curves but simulate base field operations ^{3}, because on Ethereum we only have one curve (BN_254).
 We aggregate multiple proof into an aggregated proof in one step, instead of iterating and aggregating one by one.
 We don’t check the pairing in the circuit. Instead, we aggregate the pairing points and check the pairing in smart contract.
Workflow / Usecase
The diagram below demonstrates a typical workflow of using plonkit:
The test_poseidon_plonk.sh script is also a comprehensive example of the whole workflow.
Acknowledgements

Plonkit builds on top of the awesome libraries written by matterlabs:
 Plonkit also borrows some “R1CSFile reader” codes from zkUtil.
 Furthermore, thanks to the great work and effort from the team behind Circom, developers can benefit from a friendly ZKP development language.
Thanks the great work of these teams/individuals!
Try out plonkit here and have fun!

By the time of starting plonkit project, Circom/snarkJS didn’t support PLONK but it does now. Still, proving in plonkit is more efficient than in snarkJS (plonkit uses Rust and snarkJS uses JS, and their PLONK implementations are different), whereas snarkJS can be run in browsers but plonkit cannot.
↩ 
Taken from https://github.com/matterlabs/zksync/blob/master/infrastructure/zk/src/run/run.ts#L77
↩ 
We simulate base field elements as “limb”s.
↩