Understanding PLONK (Part 1): Plonkish Arithmetization

Arithmetization refers to transforming computations into mathematical objects and then performing zero-knowledge proofs. Plonkish arithmetization is a specific arithmetization method in the Plonk proof system. Prior to the introduction of Plonkish, the mainstream circuit representation was R1CS, widely used in systems such as Pinocchio, Groth16, and Bulletproofs. In 2019, the Plonk scheme proposed a seemingly retrograde circuit encoding method. However, due to its extreme application of polynomial encoding, Plonk is no longer limited to “addition gates” and “multiplication gates” in arithmetic circuits, but can support more flexible “custom gates” and “lookup gates”.

Let’s first review the circuit encoding of R1CS, which is the most commonly used arithmetic scheme. Then we will compare it with the introduction of Plonkish encoding.

Arithmetic circuits and arithmeticization of R1CS

An arithmetic circuit consists of several multiplication gates and addition gates. Each gate has “two input” pins and one “output” pin, and any output pin can be connected to multiple input pins of gates.

First, let’s look at a very simple arithmetic circuit:

This circuit represents such a calculation:

$(x_{1} + x_{2}) \cdot (2 \cdot x_{3}) = o u t$

There are 4 variables in the circuit, with three variables being input variables $(x_{1}, x_{2}, x_{3})$ , one output variable $o u t$ , and one constant input with a value of $2$ .

A circuit has two states: “blank state” and “operational state”. When the input variables do not have specific values, the circuit is in the “blank state”, and we can only describe the relationship between the circuit wires, or the structural topology of the circuit.

The next step is to encode the “blank state” of the circuit, which means encoding the positions of each gate and their interconnecting wire relationships.

R1CS is centered around multiplication gates in the graph, using three “selector” matrices to connect the “left input,” “right input,” and “output” of the multiplication gates to respective variables.

Let’s start by looking at the left input of the multiplication gate at the top of the diagram. It can be described using the table below:

\begin{array}{|c|c|c|c|c|} \hline 1 & x_1 & x_2 & x_3 & out \ \hline 0 & 1 & 1 & 0 & 0 \ \hline \end{array}

$\begin{array}{|c|c|c|c|c|} \hline 1 & x_1 & x_2 & x_3 & out \ \hline 0 & 1 & 1 & 0 & 0 \ \hline \end{array}$

This form has only one row, so we can use a vector $U = (0, 1, 1, 0, 0)$ to represent that the left input of the multiplication gate is connected to two variables, $x_{1}$ and $x_{2}$ . Remember, all addition gates will be expanded into sums (or linear combinations) of multiple variables.

再看看其右输入，连接了一个变量 $x_{3}$ 和一个常数值，等价于连接了 $x_{3}$ 的两倍，那么右输入的选择子矩阵可以记为

\begin{array}{|c|c|c|c|c|} \hline 1 & x_1 & x_2 & x_3 & out \ \hline 0 & 0 & 0 & 2 & 0 \ \hline \end{array}

$\begin{array}{|c|c|c|c|c|} \hline 1 & x_1 & x_2 & x_3 & out \ \hline 0 & 0 & 0 & 2 & 0 \ \hline \end{array}$

Here, it can also be represented by a row vector $V = (0, 0, 0, 2, 0)$ , where the $2$ represents the constant terminal of the circuit in the above diagram.

The output of the final multiplication gate can be described as $W = (0, 0, 0, 0, 1)$ , with the output variable being $o u t$ .

\begin{array}{|c|c|c|c|c|} \hline 1 & x_1 & x_2 & x_3 & out \ \hline 0 & 0 & 0 & 0 & 1 \ \hline \end{array}

$\begin{array}{|c|c|c|c|c|} \hline 1 & x_1 & x_2 & x_3 & out \ \hline 0 & 0 & 0 & 0 & 1 \ \hline \end{array}$

With three vectors (U, V, W), we can constrain the operation of the circuit through an “inner product” equation:

$bi g (U \cdot (1, x_{1}, x_{2}, x_{3}, o u t)) \cdot (V \cdot (1, x_{1}, x_{2}, x_{3}, o u t)) = (W \cdot (1, x_{1}, x_{2}, x_{3}, o u t))$

After simplifying this equation, we can obtain:

$(x_{1} + x 2) \cdot (2 \cdot x_{3}) = o u t$

If we substitute these variables with the assignment vector $(1, x_{1}, x_{2}, x_{3}, o u t) = (1, 3, 4, 5, 70)$ , then the circuit operation can be verified through the “inner product” equation:

$(U \cdot (1, 3, 4, 5, 70)) \cdot (U \cdot (1, 3, 4, 5, 70)) = W \cdot (1, 3, 4, 5, 70)$

And if we have an incorrectly assigned vector, such as $(1, 3, 4, 0, 70)$ , it does not satisfy the “inner product equation”:

$(U \cdot (1, 3, 4, 0, 70)) \cdot (U \cdot (1, 3, 4, 0, 70)) \neq = W \cdot (1, 3, 4, 0, 70)$

The result of the left-side arithmetic is $0$ , and the result of the right-side arithmetic is $70$ . Of course, we can verify that $(1, 3, 4, 0, 0)$ is also a valid (satisfying circuit constraints) assignment.

Not every circuit has an assignment vector. Circuits that have a valid assignment vector are called satisfiable circuits. Determining whether a circuit is satisfiable is an NP-Complete problem and also an NP-hard problem.

The two multiplication gates in the examples are not the same. The multiplication gate above has variables in both inputs, while the multiplication gate below has a variable on one side and a constant on the other side. For the latter type of “constant multiplication gate”, we also consider them as special “addition gates”. As shown in the diagram below, the multiplication gate in the bottom right of the left circuit is equivalent to the addition gate in the bottom right of the right circuit.

So if a circuit contains more than two multiplication gates, we cannot use the inner product relationship between the vectors $U, V, W$ to represent the operation, and we need to construct an operation relationship between “three matrices”.

Multiple multiplication gates

For example, in the circuit shown below, there are two multiplication gates, and both their left and right inputs involve variables.

This circuit represents such a calculation:

$(x_{1} + x 2) \cdot (x 3 \cdot x 4) = o u t$

We encode the circuit based on the multiplication gates. In the first step, the multiplication gates in the circuit are numbered sequentially (the order of numbering doesn’t matter as long as it is consistent). The two multiplication gates in the diagram are encoded as #1 and #2.

And then we need to give variable names to the intermediate wires of each multiplication gate: for example, four input variables are denoted as $x_{1}, x_{2}, x_{3}, x_{4}$ , with $x_{5}$ being the output of the second multiplication gate and also serving as the right input of the first multiplication gate. And $o u t$ is the output of the first multiplication gate. Therefore, we can obtain a vector of variable names:

$(x_{1}, x_{2}, x_{3}, x_{4}, x_{5}, o u t)$

The “blank state” of this circuit can be encoded using the following three matrices:

$U, V, W \in F^{n \times m}$

I understand. Here is the text:

Where $n$ is the number of multiplication gates, and $m$ is approximately the number of wires. Each row of the matrix “selects” the input/output variables of the corresponding multiplication gate. For example, we define the left input matrix $U$ of the circuit:

\begin{array}{|c|c|c|c|c|} \hline x_1 & x_2 & x_3 & x_4 & x_5 & out & \texttt{i} \ \hline 1 & 1 & 0 & 0 & 0 & 0 & \texttt{1}\ \hline 0 & 0 & 1 & 0 & 0 & 0 & \texttt{2}\ \hline \end{array}

$\begin{array}{|c|c|c|c|c|} \hline x_1 & x_2 & x_3 & x_4 & x_5 & out & \texttt{i} \ \hline 1 & 1 & 0 & 0 & 0 & 0 & \texttt{1}\ \hline 0 & 0 & 1 & 0 & 0 & 0 & \texttt{2}\ \hline \end{array}$

The left input of the first multiplier gate is $(x_{1} + x_{2})$ , and the left input of the second multiplier gate is $x_{3}$ . The right input matrix $V$ is defined as:

\begin{array}{|c|c|c|c|c|} \hline x_1 & x_2 & x_3 & x_4 & x_5 & out &\texttt{i}\ \hline 0 & 0 & 0 & 0 & 1 & 0 & \texttt{1}\ \hline 0 & 0 & 0 & 1 & 0 & 0 & \texttt{2}\ \hline \end{array}

$\begin{array}{|c|c|c|c|c|} \hline x_1 & x_2 & x_3 & x_4 & x_5 & out &\texttt{i}\ \hline 0 & 0 & 0 & 0 & 1 & 0 & \texttt{1}\ \hline 0 & 0 & 0 & 1 & 0 & 0 & \texttt{2}\ \hline \end{array}$

The right input of gate No. 1 is $x_{5}$ , and the right input of the second multiplication gate is $x_{4}$ . Finally, the output matrix $W$ is defined as follows:

\begin{array}{|c|c|c|c|c|} \hline x_1 & x_2 & x_3 & x_4 & x_5 & out & \texttt{i}\ \hline 0 & 0 & 0 & 0 & 0 & 1 & \texttt{1}\ \hline 0 & 0 & 0 & 0 & 1 & 0 & \texttt{2}\ \hline \end{array}

$\begin{array}{|c|c|c|c|c|} \hline x_1 & x_2 & x_3 & x_4 & x_5 & out & \texttt{i}\ \hline 0 & 0 & 0 & 0 & 0 & 1 & \texttt{1}\ \hline 0 & 0 & 0 & 0 & 1 & 0 & \texttt{2}\ \hline \end{array}$

We treat all the wire assignments as a vector: $a$ (here using the letter $a$ , taken from the first letter of Assignments)

In the above example, the “assignment vector” is

$v ec a = (x_{1}, x_{2}, x_{3}, x_{4}, x_{5}, o u t)$

So we can easily verify the following equation.

$(U \cdot a) \circ (V \cdot a) = (W \cdot a)$

The symbol $\circ$ represents Hadamard Product, which indicates “element-wise multiplication”. Expanding the above element-wise multiplication equation, we can obtain the operation process of this circuit:

\left[

$\begin{array}{c} x_1 + x_2 \ x_3 \ \end{array}$ \right] \circ \left[

$\begin{array}{c} x_5 \ x_4 \ \end{array}$ \right]= \left[

$\begin{array}{c} out \ x_5 \ \end{array}$ \right]

Please note that in general, a “assignment vector” needs a variable with a fixed value of $1$ , which is necessary to handle constant inputs in addition gates.

Advantages and disadvantages

Due to the R1CS encoding being centered around multiplication gates, the addition gates in the circuit do not increase the number of rows in the matrices $U, V, W$ , thus having little impact on the performance of the Prover. The encoding of R1CS circuits is clear and simple, which facilitates the construction of various SNARK schemes on top of it.

The encoding scheme in the 2019 Plonk paper requires encoding both addition and multiplication gates, which seems to increase the number of constraints and decrease the proving performance. However, the Plonk team subsequently introduced additional gates besides multiplication and addition, such as gates for range checks and XOR operations. Moreover, Plonk supports any gate with polynomial relations between its inputs and outputs, known as Custom Gates, as well as state transition gates for implementing RAM. With the introduction of lookup gates, the Plonk scheme gradually became the preferred choice for many applications, and its encoding method also gained a dedicated term: Plonkish.

Plonkish Arithmetic Door

Looking back at the example circuit, we will number all three gates as $1, 2, 3$ , and we will also mark the output value of the adder gate as variable $x_{6}$ .

Clearly, the above circuit satisfies three constraints:

$x_{1} + x_{2} = x_{6}$
$x_{3} \cdot x_{4} = x_{5}$
I understand. Here is the translation:

“ $x_{6} \cdot x_{5} = o u t$ ”

We define a matrix $W \in F^{n \times 3}$ to represent the constraints (where $n$ is the number of arithmetic gates):

$\begin{array}{c|c|c|c|} \texttt{i} & w_a & w_b & w_c \ \hline \texttt{1} & x_6 & x_5 & out \ \texttt{2} & x_1 & x_2 & x_6 \ \texttt{3} & x_3 & x_4 & x_5 \ \end{array}$

In order to differentiate addition and multiplication, we define a vector $Q \in F^{n \times 5}$ to represent the operator.

$\begin{array}{c|c|c|c|} \texttt{i} & q_L & q_R & q_M & q_C & q_O \ \hline \texttt{1} & 0 & 0 & 1 & 0& 1 \ \texttt{2} & 1 & 1 & 0 & 0& 1 \ \texttt{3} & 0 & 0 & 1 & 0& 1 \ \end{array}$

So we can represent the three constraints using the following equations:

$q_{L} \circ w_{a} + q_{R} \circ w_{b} + q_{M} \circ (w_{a} \cdot w_{b}) + q_{C} - q_{O} \circ w_{c} = 0$

If we substitute and expand the equation above, we can obtain the following constraint equations:

\left[

$\begin{array}{c} 0\ 1 \ 0\ \end{array}$ \right] \circ \left[

$\begin{array}{c} x_6 \ x_1 \ x_5\ \end{array}$ \right] + \left[

$\begin{array}{c} 0\ 1 \ 0\ \end{array}$ \right] \circ \left[

$\begin{array}{c} x_5 \ x_2 \ x_4\ \end{array}$ \right] + \left[

$\begin{array}{c} 1\ 0 \ 1\ \end{array}$ \right] \circ \left[

$\begin{array}{c} x_6\cdot x_5 \ x_1\cdot x_2 \ x_3\cdot x_4\ \end{array}$ \right]=\left[

$\begin{array}{c} 1\ 1 \ 1\ \end{array}$ \right] \circ \left[

$\begin{array}{c} out \ x_6 \ x_5\ \end{array}$ \right]

Simplified to:

\left[

$\begin{array}{c} 0 \ x_1 \ 0\ \end{array}$ \right] + \left[

$\begin{array}{c} 0 \ x_2 \ 0\ \end{array}$ \right] + \left[

$\begin{array}{c} x_6\cdot x_5 \ 0 \ x_3\cdot x_4\ \end{array}$ \right]=\left[

$\begin{array}{c} out \ x_6 \ x_5\ \end{array}$ \right]

This is exactly the calculation constraint of three arithmetic operations.

In summary, Plonkish requires a matrix $Q$ to describe the circuit’s blank state, while all assignments are written into the matrix $W$ . For the exchange protocol between the Prover and Verifier, $W$ is the Prover’s witness, which is considered secret and kept confidential from the Verifier. The matrix $Q$ represents a circuit description that achieves consensus between both parties.

However, having only the $Q$ matrix is not sufficient to accurately describe the circuit in the example above.

Copy Constraints

Compare the following two circuits. Their Q matrices are completely identical, but they are completely different.

The difference between the two circuits lies in whether $x_{5}, x_{6}$ are connected to gate #1. If the Prover directly fills in the assignment of the circuit in the $W$ table, an “honest” Prover would fill in the same value in the positions $w a, 1$ and $w$ c,2; while a “malicious” Prover could fill in different values. If the malicious Prover also fills in different values in $w b, 1$ and $w$ c,3, then in reality, the Prover is proving the circuit on the right side of the diagram, not the agreed-upon circuit between the Verifier and the Prover (on the left side).

$\begin{array}{c|c|c|c|} i & w_a & w_b & w_c \ \hline 1 & \boxed{x_6} & \underline{x_5} & out \ 2 & x_1 & x_2 & \boxed{x_6} \ 3 & x_3 & x_4 & \underline{x_5} \ \end{array}$

We need to add new constraints that require in the right circuit diagram $x_{6} = x_{7}$ and $x_{5} = x_{8}$ . This is equivalent to demanding that when Prover fills in multiple positions in the table with the same variable, they must fill in equal values.

This requires a new type of constraint called “Copy Constraint”. Plonk uses “Permutation Proofs” to ensure that the values at multiple positions in the table $W$ satisfy the copy relationship. We continue to use the example of the circuit diagram above to illustrate its basic idea:

Imagine that we arrange all the position indices in table $W$ into a vector:

$s i g m a_{0} = (w a, 1, w a, 2, w a, 3, \underline{w} b, 1$ ,wb,2,wb,3,wc,1,wc,2,w_c,3)

Then swap the two positions that should be equal, for example, in the figure above, it is required that $w a, 1 = w c, 2$ and $w b, 1 = w c, 3$ . Thus, we obtain the following positional vectors:

$s i g ma = (w c, 2, w a, 2, w a, 3, \underline{w} c, 3$ ,wb,2,wb,3,wc,1,wa,1,w_b,1)

Then we ask the Prover to prove that: $W$ table remains the same after the permutation above. The equality before and after the permutation ensures that the Prover cannot cheat.

Here’s another example, when constraining that three (or more) values in a vector must be equal, you only need to shift the values at these three (or more) positions cyclically (left or right), and then prove that the shifted vector is equal to the original vector. For example:

$A = (b_{1}, b_{2}, \underline{a_{1}}, b_{3}, \underline{a_{2}}, b_{4}, \underline{a_{3}})$

If we want to prove that $a_{1} = a_{2} = a_{3}$ , then we only need to prove:

$A^{'} = (b_{1}, b_{2}, \underline{a_{3}}, b_{3}, \underline{a_{1}}, b_{2}, \underline{a_{2}}) = ? A$

In the vector $A^{'}$ after shuffling, $a_{1}, a_{2}, a_{3}$ are moved and swapped to the right in sequence, meaning $a_{1}$ is placed in the original position of $a_{2}$ , while $a_{2}$ is placed in the position of $a_{3}$ , and $a_{3}$ is placed in the position of $a_{1}$ .

If $A^{'} = A$ , then all the values at the corresponding positions of $A^{'}$ and $A$ should be equal. It can be deduced that: $a_{1} = a_{3}$ , $a_{2} = a_{1}$ , $a_{3} = a_{2}$ , which means $a_{1} = a_{2} = a_{3}$ . This method is applicable to any number of equivalent relationships. (For the subsequent method of proving the equality of two vectors, please refer to the next chapter.)

So how to describe the exchange in the circuit assignment table? We only need to record the $σ$ vector, of course, the $σ$ vector can also be written in the form of a table:

$\begin{array}{c|c|c|c|} i & \sigma_a & \sigma_b & \sigma_c \ \hline 1 & \boxed{w_{c,2}} & \underline{w_{c,3}}& w_{c,1} \ 2 & w_{a,2} & w_{b,2} & \boxed{w_{a,1}} \ 3 & w_{a,3} & w_{b,3} & \underline{w_{b,1}} \ \end{array}$

Adding $σ$ , the blank circuit can be described as $(Q, σ)$ , where the assignment of the circuit is $W$ .

$ma t h s f Pl o nki s h_0 ≜ (Q, σ; W)$

Comparison again

The width of the $(U, V, W)$ table in R1CS depends on the number of wires, and the number of rows depends on the number of multiplication gates. This construction treats arithmetic circuits as consisting only of multiplication gates, but each gate has multiple input pins (up to the total number of wires). On the other hand, Plonkish treats addition and multiplication gates equally, and because there are only two input pins, the width of the $W$ table is fixed at three columns (although the table can be expanded to support more advanced gates). This feature allows Plonk to utilize the Permutation Argument for the implementation of copy constraints.

…, and thus our linear contraints are just wiring constraints that can be reduced to a permutation check.

按照 Plonk 论文的统计，一般情况下，算术电路中加法门的数量是乘法门的两倍。如果这样看来， $W$ 表格的行数会三倍于 R1CS 的矩阵。但这个让步会带来更多的算术化灵活度。

Circuit verification protocol framework

With the description and assignment of the circuit blank structure, we can roughly describe the protocol framework of Plonk.

First, the Prover and Verifier agree on a common circuit, $(Q, σ)$ . Assuming the public output of the circuit is $o u t = 99$ , and $(x_{1}, x_{2}, x_{3}, x_{4})$ are the secret inputs.

Fill in the $W$ matrix (Invisible to Verifier):

$\begin{array}{c|c|c|c|} i & w_a & w_b & w_c \ \hline 1 & \boxed{x_6} & \underline{x_5} & [out] \ 2 & x_1 & x_2 & \boxed{x_6} \ 3 & x_3 & x_4 & \underline{x_5} \ 4 & 0 & 0 & [out] \ \end{array}$

The additional fourth line is added to introduce an extra arithmetic constraint: $o u t = 99$ , where the value of $o u t$ is explicitly shown in the matrix $Q$ .

The corresponding $Q$ matrix for the consensus of Prover and Verifier is

$\begin{array}{c|c|c|c|} i & q_L & q_R & q_M & q_C & q_O \ \hline 1 & 0 & 0 & 1 & 0& 1 \ 2 & 1 & 1 & 0 & 0& 1 \ 3 & 0 & 0 & 1 & 0& 1 \ 4 & 0 & 0 & 0 & 99& 1 \ \end{array}$

I understand. Here is the text:

“In the fourth line constraint, it ensures that $o u t = 99$ . By substituting $(q_{L} = 0, q_{R} = 0, q_{M} = 0, q_{C} = 99, q_{O} = 1)$ into the arithmetic constraint below, we obtain $99 - w_{c} = 0$ , which means $w c, 4 = 99"."$ $q_{L} \circ w_{a} + q_{R} \circ w_{b} + q_{M} \circ (w_{a} \cdot w_{b}) + q_{C} - q_{O} \circ w_{c} = 0$ $T oe n s u re t ha tt h e v a l u eo f$ w_c $in t h e f i rs t ro w i s a l so$ 99 $, ana dd i t i o na l co p yco n s t r ain t n ee d s t o b e a dd e d in t h e$ \sigma $ma t r i x : t h e p os i t i o n o f t h e v a r iab l e$ outw_{c,1} $s h o u l d b es w a pp e d w i t h t h eo u tp u t$ w_{c,4} $o f t h e f o u r t h ro w .$

$\begin{array}{c|c|c|c|} i & \sigma_a & \sigma_b & \sigma_c \ \hline 1 & \boxed{w_{c,2}} & \underline{w_{c,3}} & [w_{c,4}] \ 2 & w_{a,2} & w_{b,2} & \boxed{w_{a,1}} \ 3 & w_{a,3} & w_{b,3} & \underline{w_{b,1}} \ 4 & w_{a,4} & w_{b,4} & [w_{c,1}]\ \end{array}$ $I f P ro v er i s h o n es t, t h e n t h e f o ll o w in g a r i t hm e t i cco n s t r ain t e q u a t i o n s h o l df or$ i\in(1,2,3,4) $:$ $q$ L,i∘wa,i+qR,i∘wb,i+qM,i∘(wa,i⋅wb,i)+qC,i−qO,i∘wc,i=0 $T h e g e n er a l i d e a o f t h e v er i f i c a t i o n p ro t oco l i s a s f o ll o w s : P ro t oco l s t a r t s : P ro v er t r u t h f u ll y f i ll so u tt h e$ W $t ab l e, t h e n e n co d ese a c h co l u mn o f t h e$ W $t ab l e an d p er f or m s p o l y n o mia l e n co d in g, an d se n d s t h ee n co d e d res u ltt o V er i f i er . A g ree m e n t v er i f i c a t i o n p ha se : T h e V er i f i er an d P ro v er in t er a c t f u r t h er t o v er i f y w h e t h er t h e f o ll o w in g e q u a t i o nh o l d s t r u e :$ $q$ L(X)⋅wa(X)+qR(X)⋅wb(X)+qM(X)⋅(wa(X)⋅wb(X))+qC(X)−qO(X)⋅w_c(X)=?0

O f co u rse, t hi s v er i f i c a t i o ni s n o t e n o ug h . W e a l so n ee d t o v er i f y t h ere l a t i o n s hi p b e tw ee n

(\sigma_a(X),\sigma_b(X),\sigma_c(X))

an d

(w_a(X),w_b(X),w_c(X))$. Also, how does the Verifier verify the circuit operations through polynomials, please refer to the following chapters.

References

I understand. Here is the translation:

[BG12] Bayer, Stephanie, and Jens Groth. “Efficient zero-knowledge argument for correctness of a shuffle.” Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer, Berlin, Heidelberg, 2012.
I understand. Here is the text:

[GWC19] Ariel Gabizon, Zachary J. Williamson, and Oana Ciobotaru. “Plonk: Permutations over lagrange-bases for oecumenical noninteractive arguments of knowledge.” Cryptology ePrint Archive (2019).

ZKPunk's ZKPedia