Home
About
Events
Speakers
Blog
VN Community
Team
Documentation

Blog

[Workshop Recap] Plonky2 For Dummies

Table of Contents
Why do we need ZK-rollups?
High Level Diagram: zk-Rollups
Anatomy of a ZKP System
Framework for building ZKP Application
PLONK Arithmetization
PLONK Arithmetization: Gate constraints
PLONK Arithmetization: Copy constraints
Plonky2: Advantages
Example: Build circuit
Example: Proving and verifying data
Topic-Plonky2-for-Dummies
Ethereum has long been considered one of the most important blockchain platforms, providing the backbone for many decentralized applications (dApps) and smart contracts. However, as the network has grown, it has become apparent that there are several significant problems that need to be addressed if Ethereum is to continue to meet the needs of its users.
One of the most pressing issues is the network's capacity and scalability. As more and more dApps are built on the Ethereum blockchain, the network has become increasingly congested, leading to slower transaction times and higher fees (currently it can only proceed 10-30 tx per second). 
Another problem facing Ethereum is its lack of privacy. While Ethereum transactions are technically anonymous, it is possible to trace transactions back to their origin using publicly available information on the blockchain. This makes Ethereum less than ideal for use in applications that require a high level of privacy, such as those involving financial transactions or personal data.
Finally, Ethereum is facing growing competition from other blockchain platforms that offer similar capabilities but with improved scalability and privacy features. These platforms, such as Polkadot, Solana, and Binance Smart Chain, are gaining popularity among developers and users who are frustrated with Ethereum's current limitations.
To address these issues, the Ethereum community has been working on a range of solutions, including the implementation of new scaling technologies such as sharding, data availability sampling (Onchain aka L1 Scaling) or Rollups, including ZK-rollup and Optimistic Rollup (Offchain aka L2 Scaling).

Why do we need ZK-rollups?

ZK-rollups is a layer scaling solution that increases tx throughput on L1 by moving computation and state-storage off-chain (to L2). The process involves only some minimal summary data that are posted to L1 (as calldata, for Data Availability) along with some cryptographic proof that those changes are correct (funds are sufficient, funds are correctly moved, valid signatures are present, etc.)
The ZK-Rollup’s state is maintained by a smart contract deployed on L1. To update this state, ZK-rollup nodes must submit a validity proof for verification.
There are no delays when moving funds from a ZK-rollup to L1 because exit transactions are executed once the ZK-rollup contract verifies the validity proof.
Thus, the ZK-rollups approach significantly increases the processing capacity of the blockchain network, enabling it to handle a much higher volume of transactions.

High Level Diagram: zk-Rollups

Below is a diagram showing two roles for ZK-Rollup. Let’s say you have n users, they want to proceed a transaction. To do this, they will send it to relayer, then relayer will create a proof base on data sent by users and send that proof to L1. 
You need to note that the most important part of ZK-rollups is ZK, which means that we need to answer the question: how can you create the proof of n transactions. The process of creating proofs requires complicated zkp protocol in terms of Mathematical and Logical. So, when we want to build a ZKP system, we need to understand the anatomy of a ZKP System.

Anatomy of a ZKP System

  • Arithmetization (front-end), i.e. how to interpret your program as zk circuits.
    • Dev Stack:  R1CS (gadgets, DSL circom), Plonk (gadgets, byte-code-lang Wasm, HL-lang Noir, zkASM), AIR (gadgets, byte-code-lang, HL-lang CAIRO).
  • Information-Theoretical Proof System (back-end), i.e. the necessary computation/checks on variables in the ZK circuits to make sure that the circuit's evaluation is correct. Notice that many assumptions on what the attacker can do are made here.
    • Dev Stack: Groth16, Plonk, FRI, HyperPlonk.
  • Cryptographic Compiler (crypto-back-end), i.e. the cryptographic techniques that ensure the assumptions on what the attacker can do are held.
    • Dev Stack:  KZG (trusted set up but updateable with available CRS soon by EF, existing CRS by Aztec and used at many places such as zkSync); FRI (transparent, by StarkWare).

Framework for building ZKP Application

With engineers and software developers, it takes a huge amount of time to build things from scratch and it’s also difficult to ensure the system is safe from serious bugs or security breaches. Therefore, you need frameworks to build faster, more secure ZKP applications. Some notable frameworks include:
  • Circom (Iden3)
  • Halo2 (zcash, PSE)
  • Noir (Aztec)
  • SnarkyJS (Mina)
  • Plonky2 (Polygon Zero)
    • Arithmetization: Plonk
    • ITPS: FRI
    • CC: FRI
In case you want to learn more about Halo2, check out this presentation from Khai Hanh at EthVietnam event.

PLONK Arithmetization

plonk arithmetization 1
  • Given function f (x) = x3 + x + 5. We prove that we know x s.t. f (x) = 35
  • By a circuit with constraints:
    • x ∗ x = x2 (x square)
    • x ∗ x square = x3 (x cube)
    • x3 + x = x3 + x (sum 0)
    • sum 0 + 5 = x3 + x + 5 (output)
    • output = 35

PLONK Arithmetization: Gate constraints

plonk arithmetization 2
Each basic gate have 2 input (x1, x2) and one output (x3), operation on gate is multiply
or add. qL, qR, qC , qM is the selector.
  • General form (all gates must satisfy): qL ∗ x1 + qR ∗ x2 − qC ∗ x3 + qM ∗ (x1 ∗ x2) = 0
  • For multiply gate x1 ∗ x2 = x3
  • Set qL = qR = 0, qM = 1, qC = 1 ⇒ 0 ∗ x1 + 0 ∗ x2 − 1 ∗ x3 + 1 ∗ (x1 ∗ x2) = 0
  • For addition gate x1 + x2 = x3
Set qL = qR = 1, qM = 0, qC = 1 ⇒ 1 ∗ x1 + 1 ∗ x2 − 1 ∗ x3 + 0 ∗ (x1 ∗ x2) = 0
Example: 
plonk arithmetization 3
  • A multiply gate x ∗ x = x2 , x = 3
    • 0 ∗ x1 + 0 ∗ x2 − 1 ∗ x3 + 1 ∗ (x1 ∗ x2) = 0
    • x1 = 3, x2 = 3, x3 = 9 ⇒ 0 ∗ 3 + 0 ∗ 3 − 1 ∗ 9 + 1 ∗ (3 ∗ 3) = 0
  • A addition gate x cube + x = sum 0, x = 3, x cube = 27, sum 0 = 30
    • 1 ∗ x1 + 1 ∗ x2 − 1 ∗ x3 + 0 ∗ (x1 ∗ x2) = 0
    • x1 = 27, x2 = 3, x3 = 30 ⇒ 1 ∗ 27 + 1 ∗ 3 − 1 ∗ 30 + 0 ∗ (27 ∗ 3) = 0

PLONK Arithmetization: Copy constraints

plonk arithmetization 4
  • Gate constraints only validate constraint on one gate
  • Copy constraints ensure all wire are connected correctly
  • Example: w2 = x3

Plonky2: Advantages

  • Fast prove time (≈2.4M trace/second in standard recursive optimized config)
  • Build circuit easy with builder pattern (Builder class with a lot of convenience for dev).
  • Provide a lot of popular gadgets (Merkle tree, range check...).
  • Configurable between prover cost and verification cost.
  • Easy to write recursive circuit.

Example: Build circuit

build circuit example 1
Source code: https://github.com/vuvoth/plonky2-demo

Example: Proving and verifying data

build circuit example 2
Source code: https://github.com/vuvoth/plonky2-demo

About ZKP Labs

ZKP Labs is a non-profit organization that focuses on building a vibrant and supportive community in Southeast Asia dedicated to the advancement of Zero-Knowledge Proof (ZKP) technology. Through events, workshops, and training programs, we strive to create an environment that fosters collaboration, knowledge-sharing, and growth, empowering community members to contribute to the development and adoption of ZKP.
Related Posts

ZK Snarks Programming 101: Your Friendly Starter Guide

28 January 2024

Zero-Knowledge Proofs with Circom: A domain-specific language purpose

17 December 2023
Categories
Event Recap
4
Zero Knowledge Proofs 101
27
Top Posts
Nothing here
Tag
Zero Knowledge Proofs
©

ZKP Labs

2022