# PLONK Proof System The essence of zero-knowledge proofs is to provide an asymmetrically verifiable computation model. The computational logic, written in circuits, generates corresponding proofs during execution. Validators no longer need to execute the computational logic; they only need to verify the proof to trust that the computation result adheres to the agreed-upon logic. In the specific design of our system, all computations result in changes to user accounts. Therefore, circuits need to be written for all transactions to ensure the legitimacy of user account changes. For the underlying proof system, PLONK has been chosen. ## Circuit Development Circuits serve as the programming language for zero-knowledge proofs. PLONK algorithm uses two constraint relations to describe the entire circuit: 1. Addition and Multiplication Gate Constraints 2. Copy Constraints Since addition and multiplication gates only describe the dependency of individual gates, copy constraints are necessary to depict a complete circuit. Copy constraints represent the "shared" connections between gates.The following transaction logics have been implemented in the circuit: 1. Deposit 2. Withdrawal 3. Forced Withdrawal 4. Pool Creation 5. Swap 6. RFQ (Request for Quotation) 7. Liquidity Addition 8. Liquidity Removal ## Circuit Principles and Constraint System The constraint system in the circuit is a representation of constraints in circuit form. Each gate in the circuit represents a constraint. Assuming a circuit composed of n gates and m wires, where n <= m <= 2n. The constraint system consists of two parts: 1) input information for each gate, 2) coefficient vector for gate constraints.

V is a vector composed of left input a, right input b, and output c. Note that a/b/c are just indices. qL, qR, qO, qM, qC are selector vectors for gates. L stands for left, R for right, O for output, M for multiplication, and C for constant.

*Figure : Unified Definition of Satisfying Constraints*

The entire circuit satisfies the above equation. In other words, a constraint can represent both addition and multiplication. Three specific circuit representation methods are: 1) Arithmetic circuits (addition and multiplication) 2) Boolean value constraints 3) Public input constraints. Public input constraints can be understood as restricting a certain input to a fixed value, and that value is public.The protocol for the entire constraint system is shown in the following figure.

fL/fR/fO are the function representations of left/right/output. This constraint system enforces two logics: 1) copy constraint - ensuring wires shared between gates are correct. 2) Each gate's constraint holds. ## Plonk Protocol The entire PlonK protocol is based on polynomial commitments and the Fiat-Shamir heuristic algorithm. Given 3n witnesses and the polynomial's gate coefficient vector and permutation function, it proves the constraints for each gate. ### Public Information Public information in the PlonK protocol includes gate coefficients, permutation functions, and public inputs. ### Proof Process The proof calculation process is divided into 5 rounds. * First Round: Compute the polynomial representations of a(X), b(X), c(X), and calculate the elliptic points corresponding to the SRS. a/b/c corresponds to fL/fR/fO in the protocol.

*Figure : Proof Calculation - First Round*

* Second Round: Use the Fiat-Shamir heuristic algorithm to generate random numbers, compute the polynomial representation of z(X), and calculate the elliptic points corresponding to the SRS.

*Figure : Proof Calculation - Second Round*

* Third Round: Use the Fiat-Shamir heuristic algorithm to generate random numbers, compute the polynomial representation of t(X), and calculate the elliptic points corresponding to the SRS.

*Figure : Proof Calculation - Third Round*

* Fourth Round: From the fourth round onwards, the calculation involves specific points corresponding to elliptic points. Use the Fiat-Shamir heuristic algorithm to generate random numbers. Calculate values for a/b/c/t/z and permutation functions.

*Figure : Proof Calculation - Fourth Round*

* Fifth Round: Use the Fiat-Shamir heuristic algorithm to generate random numbers and compute proofs for multiple polynomial commitments.

*Figure : Proof Calculation - Fifth Round*

### Verification Process The verification process, apart from some simple data checks, revolves around verifying a multi-class polynomial commitment. The core calculation is F - E. F represents commitment values for multiple polynomials, and E represents challenge values for multiple polynomials. The multi-class polynomial commitment algorithm ensures that the challenge values are consistent with the commitment. The D in the F calculation is composed of r and z functions.

## Proof Architecture Design In the system's architecture design, a multi-prover architecture is employed. Multiple provers receive proof tasks from the server and generate proofs in parallel. This means the system supports horizontal scalability, allowing proof efficiency to be enhanced by adding computational resources.This detailed design ensures that the PlonK proof system is not only theoretically sound but also practically efficient in handling various transactions and maintaining the security of the overall system. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://openbitbtc.gitbook.io/docs/plonk-proof-system.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.