PLONK Proof System

The essence of zero-knowledge proofs is to provide an asymmetrically verifiable computation model. The computational logic, written in circuits, generates corresponding proofs during execution. Validators no longer need to execute the computational logic; they only need to verify the proof to trust that the computation result adheres to the agreed-upon logic.

In the specific design of our system, all computations result in changes to user accounts. Therefore, circuits need to be written for all transactions to ensure the legitimacy of user account changes. For the underlying proof system, PLONK has been chosen.

Circuit Development

Circuits serve as the programming language for zero-knowledge proofs. PLONK algorithm uses two constraint relations to describe the entire circuit:

1. Addition and Multiplication Gate Constraints

2. Copy Constraints

Since addition and multiplication gates only describe the dependency of individual gates, copy constraints are necessary to depict a complete circuit. Copy constraints represent the "shared" connections between gates.The following transaction logics have been implemented in the circuit:

1. Deposit

2. Withdrawal

3. Forced Withdrawal

4. Pool Creation

5. Swap

6. RFQ (Request for Quotation)

7. Liquidity Addition

8. Liquidity Removal

Circuit Principles and Constraint System

The constraint system in the circuit is a representation of constraints in circuit form. Each gate in the circuit represents a constraint. Assuming a circuit composed of n gates and m wires, where n <= m <= 2n. The constraint system consists of two parts: 1) input information for each gate, 2) coefficient vector for gate constraints.

Figure : Constraint System Definition

V is a vector composed of left input a, right input b, and output c. Note that a/b/c are just indices. qL, qR, qO, qM, qC are selector vectors for gates. L stands for left, R for right, O for output, M for multiplication, and C for constant.

Figure : Unified Definition of Satisfying Constraints

The entire circuit satisfies the above equation. In other words, a constraint can represent both addition and multiplication. Three specific circuit representation methods are: 1) Arithmetic circuits (addition and multiplication) 2) Boolean value constraints 3) Public input constraints. Public input constraints can be understood as restricting a certain input to a fixed value, and that value is public.The protocol for the entire constraint system is shown in the following figure.

Figure : Constraint System Protocol

fL/fR/fO are the function representations of left/right/output. This constraint system enforces two logics: 1) copy constraint - ensuring wires shared between gates are correct. 2) Each gate's constraint holds.

Plonk Protocol

The entire PlonK protocol is based on polynomial commitments and the Fiat-Shamir heuristic algorithm. Given 3n witnesses and the polynomial's gate coefficient vector and permutation function, it proves the constraints for each gate.

Public Information

Public information in the PlonK protocol includes gate coefficients, permutation functions, and public inputs.

Proof Process

The proof calculation process is divided into 5 rounds.

• First Round: Compute the polynomial representations of a(X), b(X), c(X), and calculate the elliptic points corresponding to the SRS. a/b/c corresponds to fL/fR/fO in the protocol.

Figure : Proof Calculation - First Round

• Second Round: Use the Fiat-Shamir heuristic algorithm to generate random numbers, compute the polynomial representation of z(X), and calculate the elliptic points corresponding to the SRS.

Figure : Proof Calculation - Second Round

• Third Round: Use the Fiat-Shamir heuristic algorithm to generate random numbers, compute the polynomial representation of t(X), and calculate the elliptic points corresponding to the SRS.

Figure : Proof Calculation - Third Round

• Fourth Round: From the fourth round onwards, the calculation involves specific points corresponding to elliptic points. Use the Fiat-Shamir heuristic algorithm to generate random numbers. Calculate values for a/b/c/t/z and permutation functions.

Figure : Proof Calculation - Fourth Round

• Fifth Round: Use the Fiat-Shamir heuristic algorithm to generate random numbers and compute proofs for multiple polynomial commitments.

Figure : Proof Calculation - Fifth Round

Verification Process

The verification process, apart from some simple data checks, revolves around verifying a multi-class polynomial commitment. The core calculation is F - E. F represents commitment values for multiple polynomials, and E represents challenge values for multiple polynomials. The multi-class polynomial commitment algorithm ensures that the challenge values are consistent with the commitment. The D in the F calculation is composed of r and z functions.

Figure : Verification Process

Proof Architecture Design

In the system's architecture design, a multi-prover architecture is employed. Multiple provers receive proof tasks from the server and generate proofs in parallel. This means the system supports horizontal scalability, allowing proof efficiency to be enhanced by adding computational resources.This detailed design ensures that the PlonK proof system is not only theoretically sound but also practically efficient in handling various transactions and maintaining the security of the overall system.