5IFPSZ
BOE
"QQMJDBUJPOT
PG
;FSP,OPXMFEHF
1SPPG
1BSU

*OUSPEVDUJPO %FQBSUNFOU
PG
*OGPSNBUJPO
BOE
$PNNVOJDBUJPO
&OHJOFFSJOH
5IF
6OJWFSTJUZ
PG
5PLZP
4PSB
4VFHBNJ 

Introduce myself Name: Sora Suegami, Twitter: @SoraSue77, Affiliation: Department of Information and Communication Engineering, The University of Tokyo My favorite: Ethereum, Cryptography 

What is Zero-Knowledge Proof? 1. A prover wants to prove that he knows a solution to a problem. 2. The prover cannot teach the solution itself. 3. A verifier wants to verify the solution with small computation and data volume. prover verifier Proof of possession of the solution (The solution itself is ❌) Accept / Reject 

Problem Conversion 1. Arithmetic Circuit / RAM Program 2. Constraints 3. Polynomial / Inner Product 

Problem Conversion 1. Arithmetic Circuit / RAM Program 2. Constraints 3. Polynomial / Inner Product 
.BOVBM 
4FNJBVUPNBUJD 
"VUPNBUJD 

In Plonk [GWC19]… 1. Arithmetic Circuit / RAM Program 2. Constraints 3. Polynomial / Inner Product 
.BOVBM 
4FNJBVUPNBUJD 
"VUPNBUJD 

What is Arithmetic Circuit? × + × × + Input 1 Input 2 Input 3 Input 4 Input 5 × Multiplication Gate + Addition Gate Output Input 6 

Arithmetic Circuit -> Constraint The output of a gate is the result of adding/ multiplying two inputs. The correct input-output result for a gate should satisfy a particular equation. 

Gate Constraint Addition Gate: 𝑋𝐿 𝑋𝑅 𝑋𝑂 𝑋𝐿 + 𝑋𝑅 − 𝑋𝑂 = 0 + 

Gate Constraint 𝑋𝐿 𝑋𝑅 𝑋𝑂 × 𝑋𝐿 𝑋𝑅 − 𝑋𝑂 = 0 Multiplication Gate: 

Gate Constraint All kinds of gates are represented by one equation: Addition => Multiplication => Constant => 𝑄𝐿 𝑋𝐿 + 𝑄𝑅 𝑋𝑅 + 𝑄𝑀 𝑋𝐿 𝑋𝑅 + 𝑄𝐶 + 𝑄𝑂 𝑋𝑂 = 0 QL = 1, QR = 1, 𝑄𝑀 = 0, 𝑄𝐶 = 0, 𝑄𝑂 = − 1 𝑄𝐿 = 0, 𝑄𝑅 = 0, 𝑄𝑀 = 1, 𝑄𝐶 = 0, 𝑄𝑂 = − 1 𝑄𝐿 = 1, 𝑄𝑅 = 0, 𝑄𝑀 = 0, 𝑄𝑐 = − 𝑐, 𝑄𝑂 = 0 

× + × × + 𝑋𝐿1 𝑋𝑅1 𝑋𝑂1 𝑋𝐿2 𝑋𝑅2 𝑋𝐿3 𝑋𝑅3 𝑋𝑂2 𝑋𝑂3 𝑋𝐿4 𝑋𝑅4 𝑋𝑂4 𝑋𝐿5 𝑋𝑅5 𝑋𝑂5 Gate Constraint × Multiplication Gate + Addition Gate 

Gate Constraint 0XL1 + 0XR1 + 1XL1 XR1 + 0 + (−1)XO1 = 0 × 𝑋𝐿1 𝑋𝑅1 𝑋𝑂1 × 𝑋𝐿2 𝑋𝑅2 𝑋𝑂2 0XL2 + 0XR2 + 1XL2 XR2 + 0 + (−1)XO2 = 0 + 𝑋𝐿3 𝑋𝑅3 𝑋𝑂3 1XL3 + 1XR3 + 0XL3 XR3 + 0 + (−1)XO3 = 0 + 𝑋𝐿4 𝑋𝑅4 1XL3 + 1XR3 + 0XL3 XR3 + 0 + (−1)XO3 = 0 𝑋𝑂4 × 𝑋𝐿5 𝑋𝑅5 𝑋𝑂5 0XL5 + 0XR5 + 1XL5 XR5 + 0 + (−1)XO5 = 0 

× + × × + 𝑋𝐿1 𝑋𝑅1 𝑋𝑂1 𝑋𝐿2 𝑋𝑅2 𝑋𝐿3 𝑋𝑅3 𝑋𝑂2 𝑋𝑂3 𝑋𝐿4 𝑋𝑅4 𝑋𝑂4 𝑋𝐿5 𝑋𝑅5 𝑋𝑂5 Copy Constraint is also necessary!     × Multiplication Gate + Addition Gate 

Prepare constraints for each wire? <- However, we want to avoid increasing the types of constraints! => We only need to know if all the equations hold. (We don’t need detailed information.) => Compute one value that aggregates all variables (accumulator)! (xO1 = xL5 , xO2 = xR5 , …) Copy Constraint is also necessary! 

What does it mean that two variables are equivalent? => Swapping two variables does not change the result of the accumulator. => We only verify “accumulator without variable swapping” = “accumulator with variable swapping” (xO1 = xL5 , xO2 = xR5 , …) Copy Constraint is also necessary! 

Example of Copy Constraint + × × 𝑋𝐿1 𝑋𝑅1 𝑋𝑂1 𝑋𝐿2 𝑋𝑅2 𝑋𝑂2 𝑋𝐿3 𝑋𝑅3 𝑋𝑂3   xL = (xL1 , xL2 , xL3 ) xR = (xR1 , xR2 , xR3 ) xO = (xO1 , xO2 , xO3 ) 

Example of Copy Constraint Index Permuted index Variable (Wire) 1 1 2 2 3 7 4 4 5 5 6 8 7 3 8 6 9 9 xL1 → x1 xL2 → x2 xL3 → x3 xR1 → x4 xR2 → x5 xR3 → x6 xO1 → x7 xO2 → x8 xO3 → x9 

Index Permuted index Variable (Wire) Polynomial f(Y,Z) Polynomial g(Y,Z) 1 1 2 2 3 7 4 4 5 5 6 8 7 3 8 6 9 9 xL1 → x1 xL2 → x2 xL3 → x3 xR1 → x4 xR2 → x5 xR3 → x6 xO1 → x7 xO2 → x8 xO3 → x9 Example of Copy Constraint x1 + 1Y + Z x2 + 2Y + Z x3 + 3Y + Z x4 + 4Y + Z x5 + 5Y + Z x6 + 6Y + Z x7 + 7Y + Z x8 + 8Y + Z x9 + 9Y + Z x1 + 1Y + Z x2 + 2Y + Z x3 + 7Y + Z x4 + 4Y + Z x5 + 5Y + Z x6 + 8Y + Z x7 + 3Y + Z x8 + 6Y + Z x9 + 9Y + Z 

For all , 𝑌, 𝑍 ∈ 𝐹𝑟 𝑥3 + 3𝑌 + 𝑍 = 𝑥7 + 3𝑌 + 𝑍 𝑥6 + 6𝑌 + 𝑍 = 𝑥8 + 6𝑌 + 𝑍 𝑥7 + 7𝑌 + 𝑍 = 𝑥3 + 7𝑌 + 𝑍 𝑥8 + 8𝑌 + 𝑍 = 𝑥6 + 8𝑌 + 𝑍 𝑥3 = 𝑥7 𝑥6 = 𝑥8 𝑥7 = 𝑥3 𝑥8 = 𝑥6 Example of Copy Constraint 

For all , 𝑌, 𝑍 ∈ 𝐹𝑟 (x3 + 3Y + Z)(x6 + 6Y + Z) (x7 + 7Y + Z)(x8 + 8Y + Z) = (x3 + 7Y + Z)(x6 + 8Y + Z) (x7 + 3Y + Z)(x8 + 6Y + Z) 𝑥3 + 3𝑌 + 𝑍 = 𝑥7 + 3𝑌 + 𝑍 𝑥6 + 6𝑌 + 𝑍 = 𝑥8 + 6𝑌 + 𝑍 𝑥7 + 7𝑌 + 𝑍 = 𝑥3 + 7𝑌 + 𝑍 𝑥8 + 8𝑌 + 𝑍 = 𝑥6 + 8𝑌 + 𝑍 Example of Copy Constraint 

For all , 𝑌, 𝑍 ∈ 𝐹𝑟 9 ∏ 𝑖=1 (𝑥𝑖 + 𝑖𝑌 + 𝑍) = 9 ∏ 𝑖=1 (𝑥𝑖 + 𝜎(𝑖)𝑌 + 𝑍) Example of Copy Constraint 

n ∏ 𝑖=1 (𝑥𝑖 + 𝑖𝜷 + 𝜸) = n ∏ 𝑖=1 (𝑥𝑖 + 𝜎(𝑖)𝜷 + 𝜸) For all , 𝑌, 𝑍 ∈ 𝐹𝑟 Uniformly sample , β, γ ∈ Fr Example of Copy Constraint 

In Plonk [GWC19]… 1. Arithmetic Circuit / RAM Program 2. Constraints 3. Polynomial / Inner Product 
.BOVBM 
4FNJBVUPNBUJD 
"VUPNBUJD 

d-degree Polynomial 𝑓(𝑥) = 𝑑 ∑ 𝑖=0 𝑎𝑖 𝑥𝑖 = 𝑎0 + 𝑎1 𝑥 + 𝑎2 𝑥2 + ⋯ + 𝑎𝑑 𝑥𝑑 Polynomial Commitment 

What is cryptographic commitment ? If you want to play online rock-paper-scissors-paper between two players…? 1. Neither player’s respective hands should be revealed to the other until everyone has made his hand. (Hiding) 2. When revealing his hand, he must not be able to change his hand sent in 1. (Binding) Polynomial Commitment 

Commitment [Oka19]: Alice Bob h𝑎𝑠h𝐴 = 𝐻𝑎𝑠h(𝑥𝑅𝑜𝑐𝑘 , 𝑟) [Commitment] Bob cannot tell Alice’s hand because it is difficult to reverse the hash function. (Hiding) Polynomial Commitment 

Commitment [Oka19]: Alice Bob [Opening] Polynomial Commitment 𝑥𝑅𝑜𝑐𝑘 , r h𝑎𝑠h𝐴 Alice cannot change her hand because it is difficult to find a hash collision. (Binding) 

What is Polynomial Commitment [KZG10] [Fei20]? 1. Commit coefficients of a polynomial . 2. Open an evaluation point and its evaluation result . 3. As long as the verifier knows the commitment of the polynomial (without knowing the coefficients of the polynomial), 
 he/she can verify whether a given evaluation point and evaluation result satisfy the relationship of the committed polynomial ( ). f(x) 𝑎 𝑧 = 𝑓(𝑎) a z z = f(a) Polynomial Commitment 

The advantage of Kate Commitment [KZG10] [Fei20] Polynomial Commitment • A commitment hides coefficients of the polynomial. • The size of the commitment is constant regardless of the degree. (e.g. 32 bytes, 48 bytes) • The size of the proof is also constant regardless of the degree. • The computation amount of the verification is also constant regardless of the degree. If we can convert a problem to prove into some polynomials… • A prover can prove the correctness while keeping a solution confidential. • A verifier can verify the proof with small computation and data volume. 

How to achieve Kate Commitment ? Using pairing for points on an elliptic curve, prove the knowledge of the polynomial . f(x) − z x − a Kate Commitment [KZG10] 

Kate Commitment [KZG10] Alice Bob If we do not use an elliptic curve… [Commitment] [Opening] a, z, t(x) = f(x) − z x − a f(x) 

Kate Commitment [KZG10] Alice Bob f(x) − z? = t(x)(x − a) If we do not use an elliptic curve… 

Kate Commitment [KZG10] Alice Bob ପԁۂઢΛ࢖Θͳ͚Ε͹… f(x) − z? = t(x)(x − a) Kate Commitment [KZG10] ପԁۂઢΛ࢖Θͳ͚Ε͹… The coefficients of are not hidden! f(x) The computation and data volume for the verifier increases according to the polynomial degree! AND 

Kate Commitment [KZG10] Alice Bob ପԁۂઢΛ࢖Θͳ͚Ε͹… f(x) − z? = t(x)(x − a) Kate Commitment [KZG10] ପԁۂઢΛ࢖Θͳ͚Ε͹… Evaluate the polynomial on the secret point (SRS) generated by a trusted third party. The coefficients of are not hidden! f(x) The computation and data volume for the verifier increases according to the polynomial degree! AND 

Properties of pairing (more generally, bilinear maps) 1. Bilinear For all , 2. Non-degenerate If satisfies for all , P1 , P2 ∈ 𝔾1 , Q1 , Q2 ∈ 𝔾2 e(P1 + P2 , Q1 ) = e(P1 , Q1 )e(P2 , Q2 ) e(P1 , Q1 + Q2 ) = e(P1 , Q1 )e(P1 , Q2 ) Q ∈ 𝔾2 e(P, Q) = 1 P ∈ 𝔾1 Q = O What is pairing [ASTTM16] ? e(xP, yQ) = e(P, Q)xy 

Setup SRS by a trusted third party: The order of is denoted by , the maximum degree of a supported is . Uniformly sample , SRS is defined as follows. P ∈ 𝔾1 , Q ∈ 𝔾2 r 𝒇(𝒙) 𝑑 𝑠 ∈ 𝐹𝑟 𝒔𝒓𝒔 ≔ {𝒔𝑷, 𝒔𝟐𝑷, ⋯, 𝒔𝒅𝑷, 𝒔𝑸} Kate Commitment [KZG10] 

When , its commitment is defined as follows. 𝑓(𝑥) = 𝑎0 + 𝑎1 𝑥 + ⋯ + 𝑎𝑑 𝑥𝑑 f(s)P = (a0 + a1 s + … + ad sd)P = a0 P + a1 (sP) + … + ad (sdP) The prover can compute from SRS, without knowing ! f(s)P s Kate Commitment [KZG10] A commitment of the polynomial f(x) 

When , its opening is defined as follows. t(x) = f(x) − z x − a = t0 + t1 x + … + td xd t(s)P = (t0 + t1 s + … + td sd)P = t0 P + t1 (sP) + … + td (sdP) The prover can also compute from SRS, without knowing ! t(s)P s Kate Commitment [KZG10] A opening of the polynomial evaluation f(a) = z 

𝑒(𝑓(𝑠)𝑃 − 𝑧𝑃, 𝑄)? = 𝑒(𝑡(𝑠)𝑃, 𝑠𝑄 − 𝑎𝑄) [Correctness] (RHS) (LHS) [Hiding] Because of the difficulty of the discrete logarithm problem. = 𝑒(𝑃, 𝑄)𝑡(𝑠)(𝑠−𝑎) = 𝑒(𝑃, 𝑄)𝑓(𝑠) − 𝑧 𝑠 − 𝑎 (𝑠−𝑎) = 𝑒(𝑃, 𝑄)𝑓(𝑠)−𝑧 = Kate Commitment [KZG10] Verification of the opening: 

𝑒(𝑓(𝑠)𝑃 − 𝑧𝑃, 𝑄)? = 𝑒(𝑡(𝑠)𝑃, 𝑠𝑄 − 𝑎𝑄) [Binding] Why is it sufficiently secure to evaluate the equation at one random point? (e.g. An adversary might be able to forge an invalid polynomial where the equation holds only on that random point.) Kate Commitment [KZG10] Verification of the opening: 

A degree- polynomial that are not identically zero on a finite field . d f(x) Fr Uniformly sample from a subset . r S ⊂ Fr Pr[𝑓(𝑟) = 0] ≤ 𝑑 |𝑆| Schwartz-Zippel Lemma [Har11] 

The number of points where is at most . f(x) = 0 d The number of candidates of is r |S|  Pr[𝑓(𝑟) = 0] ≤ 𝑑 |𝑆| Schwartz-Zippel Lemma [Har11] 

Kate Commitment [KZG10] Since is sampled from sufficiently large finite field , the probability is negligible. r Fr d |Fr | [Binding] Why is it sufficiently secure to evaluate the equation at one random point? 

Supplement: Multi-Party Trusted Setup "
SBOEPN
OVNCFS
HFOFSBUFE
JO
B
USVTUFE
TFUVQ
UPYJD
XBTUF
NVTU
OPU
CF
SFWFBMFE
FJUIFS
UP
B
QSPWFS
PS
B
WFSJpFS 5IF
USVTUFE
TFUVQ
JT
QFSGPSNFE
CZ
NVMUJ QBSUJFT
TP
UIBU
UIF
UPYJD
XBTUF
JT
OFWFS
SFDPWFSFE
VOMFTT
BMM
QBSUJDJQBOUT
DPNQSPNJTFE 

𝔾1 𝔾2 𝑠1 𝑠2 𝑠3 𝑠4 s1 P s2 1 P s1 Q s2 s1 P s2 2 s2 1 P s2 s1 Q s3 s2 s1 P s2 3 s2 2 s2 1 P s3 s2 s1 Q s4 s3 s2 s1 P s2 4 s2 3 s2 2 s2 1 P s4 s3 s2 s1 Q *G
BU
MFBTU
POF
QBSUJDJQBOU
EFTUSPZT
IJT
SBOEPN
OVNCFS

UIF
UPYJD
XBTUF


JT
OFWFS
SFDPWFSFE s = s4 s3 s2 s1 s2 1 Q s2 2 s2 1 Q s2 3 s2 2 s2 1 Q s2 4 s2 3 s2 2 s2 1 Q Supplement: Multi-Party Trusted Setup 

𝔾1 𝔾2 s1 s2 𝑠3 s4 s1 P s2 1 P s1 Q s2 s1 P s2 2 s2 1 P s2 s1 Q s3 s2 s1 P s2 3 s2 2 s2 1 P s3 s2 s1 Q s4 s3 s2 s1 P s2 4 s2 3 s2 2 s2 1 P s4 s3 s2 s1 Q s2 1 Q s2 2 s2 1 Q s2 3 s2 2 s2 1 Q s2 4 s2 3 s2 2 s2 1 Q *G
BU
MFBTU
POF
QBSUJDJQBOU
EFTUSPZT
IJT
SBOEPN
OVNCFS

UIF
UPYJD
XBTUF


JT
OFWFS
SFDPWFSFE s = s4 s3 s2 s1 Supplement: Multi-Party Trusted Setup 

In Plonk [GWC19]… 1. Arithmetic Circuit / RAM Program 2. Constraints 3. Polynomial / Inner Product 
.BOVBM 
4FNJBVUPNBUJD 
"VUPNBUJD 

0XL1 + 0XR1 + 1XL1 XR1 + 0 + (−1)XO1 = 0 × 𝑋𝐿1 𝑋𝑅1 𝑋𝑂1 × 𝑋𝐿2 𝑋𝑅2 𝑋𝑂2 0XL2 + 0XR2 + 1XL2 XR2 + 0 + (−1)XO2 = 0 + 𝑋𝐿3 𝑋𝑅3 𝑋𝑂3 1XL3 + 1XR3 + 0XL3 XR3 + 0 + (−1)XO3 = 0 + 𝑋𝐿4 𝑋𝑅4 1XL3 + 1XR3 + 0XL3 XR3 + 0 + (−1)XO3 = 0 𝑋𝑂4 × 𝑋𝐿5 𝑋𝑅5 𝑋𝑂5 0XL5 + 0XR5 + 1XL5 XR5 + 0 + (−1)XO5 = 0 Gate Constraint 

index Q_L Q_R Q_M Q_C Q_O 1 0 0 1 0 -1 2 0 0 1 0 -1 3 1 0 0 -5 0 4 0 0 1 0 -1 5 1 1 0 0 -1 6 0 0 1 0 -1 Gate Constraint The values of the parameters for each constraint are summarized in the below table. 

index Q_L(i) Q_R(i) Q_M(i) Q_C(i) Q_O(i) 1 0 0 1 0 -1 2 0 0 1 0 -1 3 1 0 0 -5 0 4 0 0 1 0 -1 5 1 1 0 0 -1 6 0 0 1 0 -1 Parameter as a polynomial of the index Gate Constraint -> Polynomial 

5IF
QBSBNFUFS
WBMVF        *OEFY       2@- 2@3 2@. 2@$ 2@0 Gate Constraint -> Polynomial 

N constraints N points through which the polynomial passes Degree N-1 polynomial Gate Constraint -> Polynomial 

N constraints N points through which the polynomial passes Degree N-1 polynomial Gate Constraint -> Polynomial 

is a root of unity. For all , The above polynomials are built beforehand because they depend no witness. 𝑤 i ∈ {0, ⋯, 𝑛−1} 𝑄𝐿(𝑤𝑖) = 𝑄𝐿𝑖 𝑄𝑅(𝑤𝑖) = 𝑄𝑅𝑖 𝑄𝑀(𝑤𝑖) = 𝑄𝑀𝑖 𝑄𝐶(𝑤𝑖) = 𝑄𝐶𝑖 𝑄𝑂(𝑤𝑖) = 𝑄𝑂𝑖 Gate Constraint -> Polynomial 

is a root of unity. For all , The above polynomials are built for each proof. 𝑤 i ∈ {0, ⋯, 𝑛−1} xL (ωi) = xLi xR (ωi) = xRi xO (ωi) = xOi Gate Constraint -> Polynomial 

For all , i ∈ {0,…, n − 1} QL (ωi)xL (ωi) + QR (ωi)xR (ωi) + QM (ωi)xL (ωi)xR (ωi) + QC (ωi) + QO (ωi)xO (ωi) = 0 satisfies all constraints. {xLi , xRi , xOi }i∈{1,…,n} n Gate Constraint -> Polynomial 

For all , 𝑌, 𝑍 ∈ 𝐹𝑟 n ∏ 𝑖=1 (𝑥𝑖 + 𝑖𝑌 + 𝑍) = n ∏ 𝑖=1 (𝑥𝑖 + 𝜎(𝑖)𝑌 + 𝑍) Copy Constraint 

n ∏ 𝑖=1 (𝑥𝑖 + 𝑖𝜷 + 𝜸) = n ∏ 𝑖=1 (𝑥𝑖 + 𝜎(𝑖)𝜷 + 𝜸) For all , 𝑌, 𝑍 ∈ 𝐹𝑟 Uniformly sample , β, γ ∈ Fr Copy Constraint Schwartz-Zippel Lemma guarantees that it remains secure. 

Choose such that [GWC19]. Index corresponding to -> Index corresponding to -> Index corresponding to -> k1 , k2 ∈ Fr k1 H ≠ H, k2 H ≠ H, k1 H ≠ k2 H (H = {1,ω, ω2, …, ωn−1}) xL ωi xR k1 ωi xO k2 ωi Copy Constraint -> Polynomial 

Accumulator of copy constraints [GWC19]. Z(x) Z(1) = 1 Z(ωi+1) = Z(ωi) (xL (ωi) + βωi + γ)(xR (ωi) + βk1 ωi + γ)(xO (ωi) + βk2 ωi + γ) (xL (ωi) + βσ(i) + γ)(xR (ωi) + βσ(n + i) + γ)(xO (ωi) + βσ(2n + i) + γ) Copy Constraint -> Polynomial 

Verification of the accumulator [GWC19]. Z(x) Z(1)? = 1 Z(ωi+1)(xL (ωi) + βσ(i) + γ)(xR (ωi) + βσ(n + i) + γ)(xO (ωi) + βσ(2n + i) + γ) ? = Z(ωi)(xL (ωi) + βωi + γ)(xR (ωi) + βk1 ωi + γ)(xO (ωi) + βk2 ωi + γ) Copy Constraint -> Polynomial 

Verification of the accumulator [GWC19]. Z(x) Z(ωi+1)(xL (ωi) + βσ(i) + γ)(xR (ωi) + βσ(n + i) + γ)(xO (ωi) + βσ(2n + i) + γ) ? = Z(ωi)(xL (ωi) + βωi + γ)(xR (ωi) + βk1 ωi + γ)(xO (ωi) + βk2 ωi + γ) Copy Constraint -> Polynomial i = n − 1 (xL (ωi) + βσ(i) + γ)(xR (ωi) + βσ(n + i) + γ)(xO (ωi) + βσ(2n + i) + γ) ? = Z(ωi)(xL (ωi) + βωi + γ)(xR (ωi) + βk1 ωi + γ)(xO (ωi) + βk2 ωi + γ) (wi+1 = wn = 1) 

Copy Constraint -> Polynomial (xL (ωi) + βσ(i) + γ)(xR (ωi) + βσ(n + i) + γ)(xO (ωi) + βσ(2n + i) + γ) ? = Z(ωi)(xL (ωi) + βωi + γ)(xR (ωi) + βk1 ωi + γ)(xO (ωi) + βk2 ωi + γ) n−1 ∏ i=0 (xL (ωi) + βσ(i) + γ)(xR (ωi) + βσ(n + i) + γ)(xO (ωi) + βσ(2n + i) + γ) ? = n−1 ∏ i=0 (xL (ωi) + βωi + γ)(xR (ωi) + βk1 ωi + γ)(xO (ωi) + βk2 ωi + γ) 

Copy Constraint -> Polynomial n−1 ∏ i=0 (xL (ωi) + βσ(i) + γ)(xR (ωi) + βσ(n + i) + γ)(xO (ωi) + βσ(2n + i) + γ) ? = n−1 ∏ i=0 (xL (ωi) + βωi + γ)(xR (ωi) + βk1 ωi + γ)(xO (ωi) + βk2 ωi + γ) Accumulator with variable swapping Accumulator without variable swapping 

Problem Conversion in Plonk 1. Arithmetic Circuit / RAM Program 2. Constraints 3. Polynomial / Inner Product 

Arithmetic Circuit × + × × + Input 1 Input 2 Input 3 Input 4 Input 5 × Multiplication Gate + Addition Gate Output Input 6 

Constraints (BUF
$POTUSBJOUT $PQZ
$POTUSBJOUT QL XL + QR XR + QM XL XR + QC + QO XO = 0 n ∏ 𝑖=1 (𝑥𝑖 + 𝑖𝜷 + 𝜸) = n ∏ 𝑖=1 (𝑥𝑖 + 𝜎(𝑖)𝜷 + 𝜸) 

Polynomial (BUF
$POTUSBJOUT $PQZ
$POTUSBJOUT QL (ωi)xL (ωi) + QR (ωi)xR (ωi) + QM (ωi)xL (ωi)xR (ωi) +QC (ωi) + QO (ωi)xO (ωi) = 0 Z(ωi+1)(xL (ωi) + βσ(i) + γ)(xR (ωi) + βσ(n + i) + γ)(xO (ωi) + βσ(2n + i) + γ) ? = Z(ωi)(xL (ωi) + βωi + γ)(xR (ωi) + βk1 ωi + γ)(xO (ωi) + βk2 ωi + γ) 

Kate Commitment Alice Bob [Commitment] [Opening] a, z, t(s)P = f(s) − z s − a P f(s)P 

Reference • [Oka19] Ԭຊ ཾ໌, ݱ୅҉߸ͷ஀ੜͱൃల ϙετྔࢠ҉߸ɾԾ૝௨՟ɾ৽͍͠҉߸, ۙ୅Պֶࣾ, 2019. • [GWC19] Ariel Gabizon, Zachary J. Williamson, and Oana Ciobotaru. PlonK: Permutations over Lagrange-bases for Oecumenical Noninteractive arguments of Knowledge. IACR Cryptol. ePrint Arch., 2019, 953. • [But19] Vitalik Buterin. Understanding PLONK. Vitalik Buterin's website. https://vitalik.ca/index.html ,2019 (Accessed on 09/03/2021). • [KZG10] Aniket Kate, Gregory M. Zaverucha, and Ian Goldberg. Constant-size commitments to polynomials and their applications. In International conference on the theory and application of cryptology and information security (pp. 177-194). Springer, Berlin, Heidelberg, 2010. • [Fei20] Dankrad Feist. KZG polynomial commitments. https://dankradfeist.de/ethereum/2020/06/16/kate- polynomial-commitments.html , 2020 (Accessed on 09/03/2021). • [Har11] Nick Harvey. CPSC 536N: Randomized Algorithms, Lecture 9. https://www.cs.ubc.ca/~nickhar/W12/ Lecture9Notes.pdf , 2011 (Accessed on 09/04/2021). • [Ll21] Star Ll. ZKP— PlonK Algorithm Introduction. https://starli.medium.com/zkp-plonk-algorithm- introduction-834556a32a , 2021 (Accessed on 09/03/2021). • [Fit20] Joshua Fitzgerald. PLONK by Hand (Part 1: Setup), METASTATE TEAM. https://research.metastate.dev/plonk- by-hand-part-1/ , 2020 (Accessed on 09/03/2021). • [ASTTM16] ༗ా ਖ਼߶, ڥ ོҰ, ୞໦ ޹ଠ࿠, ᪅ ً৾, দඌ ࿨ਓ, ҉߸ཧ࿦ͱପԁۂઢ, ৿๺ग़൛גࣜձࣾ, 2016. • [Gro16] Jens Groth. On the Size of Pairing-based Non-interactive Arguments. In Annual international conference on the theory and applications of cryptographic techniques (pp. 305-326). Springer, Berlin, Heidelberg, 2016. • [BBB18] Benedikt BÜNZ, et al. Bulletproofs: Short proofs for confidential transactions and more. In: 2018 IEEE Symposium on Security and Privacy (SP). IEEE, 2018. p. 315-334. • [BBH18] Eli Ben-Sasson, et al. Scalable, transparent, and post-quantum secure computational integrity. Cryptology ePrint Archive, 2018. • [SP19] Kineret Segal and Shir Peled. Arithmetization I, StarkWare, Medium. https://medium.com/starkware/ arithmetization-i-15c046390862, 2019 (Accessed on 05/25/2022). 

Reference • [CW18] Antonio Salazar Cardozo and Zachary Williamson. EIP-1108: Reduce alt_bn128 precompile gas costs. https:// eips.ethereum.org/EIPS/eip-1108, 2018 (Accessed on 05/25/2022). • [Tor22] Tornado Cash. github.com - tornado-core, https://github.com/tornadocash/tornado-core, 2022. (Accessed on 04/25/2022) • [Azt22] Aztec. Aztec homepage, https://aztec.network/, 2022. (Accessed on 05/25/2022) • [Mor] Monero. Moneropedia - Bulletproofs, https://web.getmonero.org/resources/moneropedia/bulletproofs.html, n.d. (Accessed on 05/25/2022) • [Zca] Zcash. Zcash - What are zk-SNARKs?, https://z.cash/technology/zksnarks/, n.d. (Accessed on 05/25/2022) • [Pom19] poma. Ethereum Research - Benchmark: Circom vs Bellman (wasm) in Chrome on Mobile, https:// ethresear.ch/t/benchmark-circom-vs-bellman-wasm-in-chrome-on-mobile/5261, 2019. (Accessed on 05/26/2022) • [PSS19] Pertsev A, Semenov R, and Storm R. Tornado Cash Privacy Solution Version 1.4, 2019, https://tornado.cash/ audits/TornadoCash_whitepaper_v1.4.pdf (Accessed on 05/26/2022) • [But22] Vitalik Buterin. How do trusted setups work?, https://vitalik.ca/general/2022/03/14/trustedsetup.html (Accessed on 06/01/2022)