Theory and Applications of Zero-Knowledge Proof - Part 2: Formal protocol of Plonk and its applications.

5IFPSZBOE"QQMJDBUJPOTPG ;FSP,OPXMFEHF1SPPG 1BSU'PSNBMQSPUPDPMPG1MPOLBOE JUTBQQMJDBUJPOT %FQBSUNFOUPG*OGPSNBUJPOBOE$PNNVOJDBUJPO&OHJOFFSJOH 5IF6OJWFSTJUZPG5PLZP 4PSB4VFHBNJ

Problem Conversion in Plonk 1. Arithmetic Circuit / RAM Program
2. Constraints 3. Polynomial / Inner Product

Arithmetic Circuit × + × × + Input 1 Input
2 Input 3 Input 4 Input 5 × Multiplication Gate + Addition Gate Output Input 6

Constraints (BUF$POTUSBJOUT $PQZ$POTUSBJOUT QL XL + QR XR + QM
XL XR + QC + QO XO = 0 n ∏ 𝑖 =1 ( 𝑥 𝑖 + 𝑖 𝜷 + 𝜸 ) = n ∏ 𝑖 =1 ( 𝑥 𝑖 + 𝜎 ( 𝑖 ) 𝜷 + 𝜸 )

Polynomial (BUF$POTUSBJOUT $PQZ$POTUSBJOUT QL (ωi)xL (ωi) + QR (ωi)xR (ωi)
+ QM (ωi)xL (ωi)xR (ωi) +QC (ωi) + QO (ωi)xO (ωi) = 0 Z(ωi+1)(xL (ωi) + βσ(i) + γ)(xR (ωi) + βσ(n + i) + γ)(xO (ωi) + βσ(2n + i) + γ) ? = Z(ωi)(xL (ωi) + βωi + γ)(xR (ωi) + βk1 ωi + γ)(xO (ωi) + βk2 ωi + γ)

Kate Commitment Alice Bob [Commitment] [Opening] a, z, t(s)P =
f(s) − z s − a P f(s)P

∀i ∈ {0,…, n −
1}, qL (ωi)a(ωi) + qR (ωi)b(ωi) + qM (ωi)a(ωi)b(ωi) + qC (ωi) + qO (ωi)c(ωi) = 0 ∀i ∈ {0,…, n − 1}, Z(ωi)(a(ωi) + βωi + γ)(b(ωi) + βk1 ωi + γ)(c(ωi) + βk2 ωi + γ) = Z(ωi+1)(a(ωi) + βσ(i) + γ)(b(ωi) + βσ(n + i) + γ)(c(ωi) + βσ(2n + i) + γ) Z(1) = 1 &RVBUJPOTJO1MPOL<(8$> XIFSF JTBQSJNJUJWF `UISPPUPGVOJUZ H = {1,ω, ω2, …, ωn−1} ω n

∀i ∈ {0,…, n −
1}, qL (ωi)a(ωi) + qR (ωi)b(ωi) + qM (ωi)a(ωi)b(ωi) + qC (ωi) + qO (ωi)c(ωi) = 0 ∀i ∈ {0,…, n − 1}, Z(ωi)(a(ωi) + βωi + γ)(b(ωi) + βk1 ωi + γ)(c(ωi) + βk2 ωi + γ) = Z(ωi+1)(a(ωi) + βσ(i) + γ)(b(ωi) + βσ(n + i) + γ)(c(ωi) + βσ(2n + i) + γ) Z(1) = 1 &RVBUJPOTJO1MPOL<(8$>

"QQSPBDI<(8$> w 1SPPGUIBUBQPMZOPNJBMJT[FSPBUNVMUJQMFQPJOUT "EFHSFF QPMZOPNJBM JT[FSPBU 5IFSFJTBQPMZOPNJBM TVDIUIBU
JG d f(x) a ∈ H = {a1 , a2 , …, an } ⟺ q(x) f(x) = q(x)h(x) h(x) = (x − a1 )(x − a2 )⋯(x − an ) H = {1,…, ωn−1} h(x) = xn − 1 6TJOH,BUF$PNNJUNFOU e(f(s)P, Q) = e(q(s)P, h(s)Q)

w 1SPPGUIBUDPNNPOXJUOFTTQPMZOPNJBMT BSFVTFE a(x), b(x), c(x) 4BNQMFBSBOEPNQPJOU BOEBQSPWFSTFOETBWFSJ fi FS
FWBMVBUJPOSFTVMUT 𝔷 ¯ a = a( 𝔷 ), ¯ b = b( 𝔷 ), ¯ c = c( 𝔷 ) 5IFWFSJ fi FSVTFTUIFTBNF UIFSFGPSF UIFQSPWFSJTGPSDFEUPVTFUIFDPNNPO XJUOFTTQPMZOPNJBMT ¯ a, ¯ b, ¯ c "QQSPBDI<(8$>

∀i ∈ {1,…, n}, Z(ωi)(a(ωi) + βωi + γ)(b(ωi)
+ βk1 ωi + γ)(c(ωi) + βk2 ωi + γ) = Z(ωi+1)(a(ωi) + βσ(i) + γ)(b(ωi) + βσ(n + i) + γ)(c(ωi) + βσ(2n + i) + γ) w 1SPPGUIBUTQFDJ fi FEQBSBNFUFSQPMZOPNJBMT FH BSFVTFE qL (x) 5IFWFSJ fi FSDBOOPUDPNQVUFUIF DPNNJUNFOUGPSUIFSJHIUTJEFCFDBVTFQBJSJOH POMZTVQQPSUTEFHSFFNVMUJQMJDBUJPOPGFMMJQUJD DVSWFQPJOUT "QQSPBDI<(8$>

$POWFSTJPOUPMJOFBSQPMZOPNJBMT FH 1SPPGPG 5IFWFSJ fi FSJTBTTVNFEUPLOPXDPNNJUNFOUTPG h1 (X)h2 (X)
− h3 (X) = 0 h1 (X), h2 (X), h3 (X) 4BNQMFBSBOEPNQPJOU BOEUIFQSPWFSTFOETUIF WFSJ fi FSBOFWBMVBUJPOSFTVMU 5IFQSPWFSUIFOQSPWFTUXPMJOFBSFRVBUJPOT 𝔷 t = h1 ( 𝔷 ) h1 ( 𝔷 ) = t, th2 (X) − h3 (X) = 0 "QQSPBDI<(8$> w 1SPPGUIBUTQFDJ fi FEQBSBNFUFSQPMZOPNJBMT FH BSFVTFE qL (x)

w /PUBUJPOBCPVUBQPJOUPGBOFMMJQUJDDVSWF 1SFMJNJOBSJFT<(8$> 1BJSJOH
[x]1 := xP ∈ 𝔾 1 [x]2 := xQ ∈ 𝔾 2 e e([x]1 , [y]1 ) = e([xy]1 , [1]2 ) = e([1]1 , [xy]2 )

w ЄQSPUPDPM *OUFSBDUJWF1SPUPDPM $PNNJUNFOUc $IBMMFOHFe 3FTQPOTFy 1SPWFS 7FSJ fi FS
*UJTTJHOJ fi DBOUGPSTFDVSJUZUIBUUIFQSPWFSDBOOPUHVFTT CFGPSFTFOEJOH e c 1SFMJNJOBSJFT<(8$>

w 'JBU4IBNJSUSBOTGPSN /POJOUFSBDUJWF1SPUPDPM $PNNJUNFOUc e = Hash(c) c, y 1SPWFS
7FSJ fi FS 6OEFSUIFSBOEPNPSBDMFNPEFM UIFQSPWFSDBODPNQVUF CFDBVTFBOPVUQVUPGBIBTIGVODUJPOJTJOEJTUJOHVJTIBCMF GSPNBSBOEPNOVNCFS *UDBOUSBOTGPSNBЄQSPUPDPMUPBOPOJOUFSBDUJWFQSPUPDPM e 1SFMJNJOBSJFT<(8$>

w -BHSBOHFCBTFT Li (X) := ∏ 1≤j≤n,j≠i X − ωj
ωi − ωj Li (ωi) = 1 ∀j ≠ i, Li (ωj) = 0 ⇒ { 1SFMJNJOBSJFT<(8$>

w &YUFOEFE,BUF$PNNJUNFOU POFFWBMVBUJPOQPJOUɺUQPMZOPNJBMT 1SFMJNJOBSJFT<(8$>

SBOEPNMJOFBSDPNCJOBUJPO w &YUFOEFE,BUF$PNNJUNFOU POFFWBMVBUJPOQPJOUɺUQPMZOPNJBMT 1SFMJNJOBSJFT<(8$>

w &YUFOEFE,BUF$PNNJUNFOU POFFWBMVBUJPOQPJOUɺUQPMZOPNJBMT 1SFMJNJOBSJFT<(8$>

"OFWBMVBUJPO SFTVMU fi (z) w &YUFOEFE,BUF$PNNJUNFOU POFFWBMVBUJPOQPJOUɺUQPMZOPNJBMT 1SFMJNJOBSJFT<(8$>

w &YUFOEFE,BUF$PNNJUNFOU UXPEJ ff FSFOUFWBMVBUJPOQPJOUT 1SFMJNJOBSJFT<(8$>

"QSPPGDPOTJTUT PGUXPQPJOUT w &YUFOEFE,BUF$PNNJUNFOU UXPEJ ff FSFOUFWBMVBUJPOQPJOUT 1SFMJNJOBSJFT<(8$>

w &YUFOEFE,BUF$PNNJUNFOU UXPEJ ff FSFOUFWBMVBUJPOQPJOUT 1SFMJNJOBSJFT<(8$>

*OTJEFUIF fi STU   e (∑
γi−1 fi (X) − ∑ γi−1si ) + r′ (∑ γ′ i−1 f′ i (X) − ∑ γ′ i−1s′ i ) +z∑ γi−1 fi (X) − fi (z) X − z + r′ z′ ∑ γ′ i−1 f′ i (X) − f′ i (z) X − z′ = (X − z)∑ γi−1 fi (X) − si X − z + r′ (X − z′ )∑ γ′ i−1 f′ i (X) − s′ i X − z +z∑ γi−1 fi (X) − fi (z) X − z + r′ z′ ∑ γ′ i−1 f′ i (X) − f′ i (z) X − z′ = X∑ γi−1 fi (X) − si X − z + r′ X∑ γ′ i−1 f′ i (X) − s′ i X − z w &YUFOEFE,BUF$PNNJUNFOU UXPEJ ff FSFOUFWBMVBUJPOQPJOUT 1SFMJNJOBSJFT<(8$>

1MPO,1SPUPDPM<(8$> w 1PMZOPNJBMTTQFDJ fi FECZBDJSDVJUDPOTUSBJOUT

1MPO,1SPUPDPM<(8$> (BUF DPOTUSBJOUT w 1PMZOPNJBMTTQFDJ fi FECZBDJSDVJUDPOTUSBJOUT

1MPO,1SPUPDPM<(8$> $PQZ DPOTUSBJOUT w 1PMZOPNJBMTTQFDJ fi FECZBDJSDVJUDPOTUSBJOUT

1MPO,1SPUPDPM<(8$> w /1SFMBUJPOUPWFSJGZ 4UBUFNFOUBOE8JUOFTTx = (wi )i∈{1,…,ℓ} , w =
(wi )3n i=ℓ+1 /1SFMBUJPOR ⊂ 𝔽 ℓ p × 𝔽 3n−ℓ p (x, w) ∈ R ⇔

1MPO,1SPUPDPM<(8$> w 1SFQSPDFTTFEQPMZOPNJBMTUIBUCPUIQMBZFSTLOPX

1MPO,1SPUPDPM<(8$> [ ]1 w 1SFQSPDFTTFEQPMZOPNJBMTUIBUCPUIQMBZFSTLOPX

1MPO,1SPUPDPM<(8$> w 1SFQSPDFTTFEQPMZOPNJBMTUIBUCPUIQMBZFSTLOPX

1MPO,1SPUPDPM<(8$> w 1SPWFS`TQSPDFTTSPVOEDPNNJU a(x), b(x), c(x)

1MPO,1SPUPDPM<(8$> w 1SPWFS`TQSPDFTTSPVOEDPNNJUBOBDDVNVMBUPS z(x)

1MPO,1SPUPDPM<(8$> $IBMMFOHFTJO 'JBU4IBNJS USBOTGPSN w 1SPWFS`TQSPDFTTSPVOEDPNNJUBOBDDVNVMBUPS z(x)

1MPO,1SPUPDPM<(8$> w 1SPWFS`TQSPDFTTSPVOEDPNNJUBRVPUJFOUQPMZOPNJBM t(x)

∀i ∈ {0,…, n −
1}, qL (ωi)a(ωi) + qR (ωi)b(ωi) + qM (ωi)a(ωi)b(ωi) + qC (ωi) + qO (ωi)c(ωi) = 0 ∀i ∈ {0,…, n − 1}, Z(ωi)(a(ωi) + βωi + γ)(b(ωi) + βk1 ωi + γ)(c(ωi) + βk2 ωi + γ) = Z(ωi+1)(a(ωi) + βσ(i) + γ)(b(ωi) + βσ(n + i) + γ)(c(ωi) + βσ(2n + i) + γ) Z(1) = 1 &RVBUJPOTJO1MPOL<(8$> XIFSF JTBQSJNJUJWF `UISPPUPGVOJUZ H = {1,ω, ω2, …, ωn−1} ω n

1MPO,1SPUPDPM<(8$> w 1SPWFS`TQSPDFTTSPVOEDPNNJUBRVPUJFOUQPMZOPNJBM t(x)

1MPO,1SPUPDPM<(8$> "EFHSFF SFRVJSFE GPS434JT MFTTUIBOO w 1SPWFS`TQSPDFTTSPVOEDPNNJUBRVPUJFOUQPMZOPNJBM t(x)

1MPO,1SPUPDPM<(8$> w 1SPWFS`TQSPDFTTSPVOEFWBMVBUFQPMZOPNJBMTBU 𝔷 , 𝔷 w

1MPO,1SPUPDPM<(8$> 5IFQPMZOPNJBMTBSF PQFOFEBUUXPQPJOUT 𝔷 , 𝔷 ω w 1SPWFS`TQSPDFTTSPVOEFWBMVBUFQPMZOPNJBMTBU
𝔷 , 𝔷 w

1MPO,1SPUPDPM<(8$> w 1SPWFS`TQSPDFTTSPVOEPQFOQPMZOPNJBMTBU 𝔷 , 𝔷 w

1MPO,1SPUPDPM<(8$> 0QFOJOHBU 𝔷 w 1SPWFS`TQSPDFTTSPVOEPQFOQPMZOPNJBMTBU 𝔷 , 𝔷 w

1MPO,1SPUPDPM<(8$> 0QFOJOH BU 𝔷 ω w 1SPWFS`TQSPDFTTSPVOEPQFOQPMZOPNJBMTBU 𝔷 ,
𝔷 w

1MPO,1SPUPDPM<(8$> w 1SPWFS`TPVUQVU

1MPO,1SPUPDPM<(8$> w 1SPWFS`TPVUQVU $PNNJUNFOU

1MPO,1SPUPDPM<(8$> w 1SPWFS`TPVUQVU &WBMVBUJPO SFTVMUT

1MPO,1SPUPDPM<(8$> w 1SPWFS`TPVUQVU 0QFOJOH

1MPO,1SPUPDPM<(8$>

1MPO,1SPUPDPM<(8$> w 7FSJ fi FS`TQSPDFTT

1MPO,1SPUPDPM<(8$> 3FQSPEVDFUIF TBNFDIBMMFOHFT w 7FSJ fi FS`TQSPDFTT

1MPO,1SPUPDPM<(8$> 'JYXJUOFTTFTPG QVCMJDJOQVUT w 7FSJ fi FS`TQSPDFTT

1MPO,1SPUPDPM<(8$> /PUEFQFOEJOHPOT@М w 7FSJ fi FS`TQSPDFTT

1MPO,1SPUPDPM<(8$> w 7FSJ fi FS`TQSPDFTT

1MPO,1SPUPDPM<(8$> #JOEJOHXJUILOPXO DPNNJUNFOUT w 7FSJ fi FS`TQSPDFTT

1MPO,1SPUPDPM<(8$> JTBEEFE MBUFS r0 w 7FSJ fi FS`TQSPDFTT

1MPO,1SPUPDPM<(8$>

8IBUJT;,13FDVSTJPO 3FDVSTJPO7FSJGZJOHUIFQSPPGJOTJEFUIFQSPPG ;,7FSJGZ $JSDVJU 1SPPG 1SPPG *OWBMJE
7BMJE (FOFSBUJOHBQSPPGGPSUIFBCPWF;,7FSJGZ $JSDVJU UXPQSPPGTBSFDPNQSFTTFEJOUPPOF QSPPG

#FOF fi UTPGSFDVSTJPO 'PS4DBMJOH.BJOUBJODPOTUBOUWFSJ fi DBUJPODPTUT 1SPPG 1SPPG
1SPPG 1SPPG 1SPPG 1SPPG 1SPPG 1SPPG 1SPPG 1SPPG 1SPPG 1SPPG 1SPPG 1SPPG 1SPPG *OWBMJE 7BMJE

3FDVSTJWF;,ͷར఺ 'PS4DBMJOH1BSBMMFMJ[BUJPOPGQSPPGHFOFSBUJPO *ODSFBTFUISPVHIQVU 1SPPG 1SPPG 1SPPG 1SPPG
1SPPG 1SPPG 1SPPG 59 59 59 59 1SPPG 59 59 59 59 1SPWFS5JNF0 /MPH/ 1SPWFS5JNF0 MPH/

'PS1SJWBDZ"HHSFHBUFUSBOTBDUJPOTXJUIQSPUFDUJOH UIFJSQSJWBDZ 1SPPG 1SPPG 1SPPG 1SPPG
1SPPG 1SPPG 1SPPG 59 59 59 59 (FOFSBUFECZB3PMMVQTFSWFS #FOF fi UTPGSFDVSTJPO (FOFSBUFECZFBDIVTFS

5IFEJ ff i DVMUZPGSFDVSTJPO ;,1QSPUPDPMXJUIFMMJQUJDDVSWFT FH1MPOL 5IFPSEFSPG fi OJUF fi
FMEXIFSFUIFFMMJQUJDDVSWFJTEF fi OFE Fq 5IFPSEFSPGUIFDZDMJDHSPVQ XIPTFHFOFSBUPSJT Fr 𝔾 G

;,7FSJGZ $JSDVJU %F fi OFEPWFS 1FSGPSNJOHNPE Fr r %F
fi OFEPWFS 3FRVJSJOHNPE Fq q 5IFEJ ff i DVMUZPGSFDVSTJPO ;,1QSPUPDPMXJUIFMMJQUJDDVSWFT FH1MPOL

0QUJNJ[BUJPOXJUI1MPPLVQ<><> 6TJOH1BJSJOHCBTFE;,1TDIFNF 1FSGPSNTBDPNQVUBUJPOPWFSB fi OJUF fi FMEPG EJ ff FSFOUPSEFSF
ff i DJFOUMZXJUIBMPPLVQUBCMF

$VSWF%F fi OFEPWFS Fq %F fi OFEPWFS 𝔾 1
Fr 3FQMBDFJOF ffi DJFOU DPNQVUBUJPOTXJUI MPPLVQUBCMFJODMVTJPO QSPPGT 0QUJNJ[BUJPOXJUI1MPPLVQ<><>

-PPLVQ5BCMF"CPPMFBOUBCMFPGJOQVUBOEPVUQVU FH903PGUXPCJUWBMVFT$"㱾# " # $ C C C C C
C C C C C C C C C C C C Č C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C 0QUJNJ[BUJPOXJUI1MPPLVQ<><>

" # $ C C C C C C C
C C C C C C C C C C Č C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C (A, B, C) ∈ 0QUJNJ[BUJPOXJUI1MPPLVQ<><> -PPLVQ5BCMF"CPPMFBOUBCMFPGJOQVUBOEPVUQVU FH903PGUXPCJUWBMVFT$"㱾#

"JOUFHFSDPNQVUBUJPODJSDVJUPO fi OJUF fi FMEFq "DJSDVJUGPSDPNQVUJOHBEEJUJPO TDBMBS NVMUJQMF BOEQBJSJOHPGQPJOUTPOFMMJQUJDDVSWFT "QSPPGWFSJ
fi DBUJPODJSDVJU 0QUJNJ[BUJPOXJUI1MPPLVQ<><>

"OFYBNQMFPGUIFJOUFHFSDPNQVUBUJPODJSDVJUPO UIF fi OJUF fi FMEPGEJ ff FSFOUPSEFS<> %FDPNQPTFUIFJOUFHFSJOUP?CBTFJOUFHFST A
= a0 + a1 216 + a2 232 + … + ak 216k %F fi OFDPNQVUBUJPOTGPSUIFEFDPNQPTFEJOUFHFST FH "EEUXPJOUFHFSTXJUIDPOTJEFSJOHBDBSSZ 1SPWFUIBU JTXJUIJOUIFSBOHFPG JF SBOHFQSPPG ai 0 ≤ ai ≤ 216 − 1 0QUJNJ[BUJPOXJUI1MPPLVQ<><>

"OFYBNQMFPGUIFJOUFHFSDPNQVUBUJPODJSDVJUPO UIF fi OJUF fi FMEPGEJ ff FSFOUPSEFS<> %FDPNQPTFUIFJOUFHFSJOUP?CBTFJOUFHFST A
= a0 + a1 216 + a2 232 + … + ak 216k %F fi OFDPNQVUBUJPOTGPSUIFEFDPNQPTFEJOUFHFST FH "EEUXPJOUFHFSTXJUIDPOTJEFSJOHBDBSSZ 1SPWFUIBU JTXJUIJOUIFSBOHFPG JF SBOHFQSPPG ai 0 ≤ ai ≤ 216 − 1 0QUJNJ[BUJPOXJUI1MPPLVQ<><> "CPVUUJNFTNPSFF ffi DJFOUXJUI BMPPLVQUBCMFUFDIOJRVF<>

)PX1MPPLVQXPSLT<><> 5BCMFUP7FDUPST $PNQSFTTUIFDPMVNOTXJUIBSBOEPNOVNCFS α ∈ Fq " # $
C C C C C C C C C C C C C C C C C Č C C C C C C C C C C C C C C C C C C C C C C C C C C C C C C " Ћ# Ћ?$ C ЋC Ћ?C C ЋC Ћ?C C ЋC Ћ?C C ЋC Ћ?C C ЋC Ћ?C C ЋC Ћ?C C ЋC Ћ?C C ЋC Ћ?C C ЋC Ћ?C C ЋC Ћ?C C ЋC Ћ?C C ЋC Ћ?C C ЋC Ћ?C C ЋC Ћ?C C ЋC Ћ?C C ЋC Ћ?C

" Ћ# Ћ?$ C ЋC Ћ?C C ЋC Ћ?C C
ЋC Ћ?C C ЋC Ћ?C C ЋC Ћ?C C ЋC Ћ?C C ЋC Ћ?C C ЋC Ћ?C C ЋC Ћ?C C ЋC Ћ?C C ЋC Ћ?C C ЋC Ћ?C C ЋC Ћ?C C ЋC Ћ?C C ЋC Ћ?C C ЋC Ћ?C A + αB + α2C ∈ )PX1MPPLVQXPSLT<><> 5BCMFUP7FDUPST $PNQSFTTUIFDPMVNOTXJUIBSBOEPNOVNCFS α ∈ Fq

"DUVBMXJUOFTTWBMVFTf = {fi }i∈{1…n} 7BMVFTJOUIFMPPLVQUBCMFt = {ti }i∈{1…d}
JODMVEFTEVQMJDBUJPOT f ⊂ t f )PX1MPPLVQXPSLT<><>

f = {1,8,8}, t = {1,4,8} %F fi OFBWFDUPS
CZDPNCJOJOH BMMPXJOHGPS EVQMJDBUJPOT BOETPSUJOHUIFN JOPSEFSPG s = {si }i∈{1,…,n+d} f, t t s = {1,1,4,8,8,8} )PX1MPPLVQXPSLT<><>

f = {1,8,8}, t = {1,4,8} s = {1,1,4,8,8,8} $POTJEFSUIFTFUPGEJ
ff FSFODFTCFUXFFO BEKBDFOUFMFNFOUT t → {3,4}, s → {0,3,4,0,0} *G UIFTFEJ ff FSFODFTFUTBSF FRVJWBMFOUFYDFQU f ⊂ t )PX1MPPLVQXPSLT<><>

)PX1MPPLVQXPSLT<><>

5IFGBDUPSPG G(β, γ) (γ(1 + β) + si +
βsi+1 ) *G si = si+1 (1 + β)(γ + si ) *G si ≠ si+1 (γ(1 + β) + si + βsi+1 ) + 5IFSFFYJTUTBGBDUPS FRVBMUP (1 + β)(γ + fj ) + )PX1MPPLVQXPSLT<><> 5IFSFFYJTUTBGBDUPS FRVBMUP (γ(1 + β) + tj + βtj+1 )

si = si+1 = fj + si + βsi+1
= tj + βtj+1 ⟺ si = tj , si+1 = tj+1 f ⊂ s s ⊂ t )PX1MPPLVQXPSLT<><> 5IFSFFYJTUTBGBDUPS FRVBMUP (1 + β)(γ + fj ) + 5IFSFFYJTUTBGBDUPS FRVBMUP (γ(1 + β) + tj + βtj+1 )

f = {1,8,8}, t = {1,4,8} s = {1,1,4,8,8,8} 1
+ 4β 4 + 8β 1 + 4β 4 + 8β )PX1MPPLVQXPSLT<><>

f = {1,8,8}, t = {1,4,8} s = {1,1,4,8,8,8} 1(1
+ β) 8(1 + β) 8(1 + β) 1(1 + β) 8(1 + β) 8(1 + β) )PX1MPPLVQXPSLT<><>

3FGFSFODF <144>1FSUTFW" 4FNFOPW3 BOE4UPSN35PSOBEP$BTI1SJWBDZ4PMVUJPO7FSTJPO IUUQTUPSOBEPDBTIBVEJUT5PSOBEP$BTI@XIJUFQBQFS@WQEG "DDFTTFE PO
<0LB>Ԭຊཾ໌ݱ୅҉߸ͷ஀ੜͱൃలϙετྔࢠ҉߸ɾԾ૝௨՟ɾ৽͍͠҉߸ ۙ୅Պֶࣾ <5PS>5PSOBEP$BTIHJUIVCDPNUPSOBEPDPSFDJSDVJUTXJUIESBXDJSDPN IUUQTHJUIVCDPNUPSOBEPDBTIUPSOBEPDPSFCMPCNBTUFSDJSDVJUTXJUIESBXDJSDPN "DDFTTFEPO <(8$>"SJFM(BCJ[PO ;BDIBSZ+8JMMJBNTPO BOE0BOB$JPCPUBSV1MPO, 1FSNVUBUJPOTPWFS-BHSBOHFCBTFTGPS0FDVNFOJDBM/POJOUFSBDUJWFBSHVNFOUTPG ,OPXMFEHF*"$3$SZQUPMF1SJOU"SDI <"4#>"MFYFZ"LIVOPW &MJ#FO4BTTPO 5PN#SBOE -PVJT(VUINBOO BOE "WJIV -FWZ&*15SBOTBDUJPOEBUBHBTDPTUSFEVDUJPO IUUQTFJQTFUIFSFVNPSH &*14FJQ "DDFTTFEPO  

Theory and Applications of Zero-Knowledge Proof...

Theory and Applications of Zero-Knowledge Proof - Part 2: Formal protocol of Plonk and its applications.

More Decks by SoraSuegami

Other Decks in Technology

Featured

Transcript