https://github.com/0xPolygonZero/plonky

Recursive SNARKs based on Plonk and Halo
https://github.com/0xPolygonZero/plonky

cryptography halo plonk zk-snarks

Last synced: 5 months ago
JSON representation

Recursive SNARKs based on Plonk and Halo

• Host: GitHub
• URL: https://github.com/0xPolygonZero/plonky
• Owner: 0xPolygonZero
• Archived: true
• Created: 2020-02-04T18:12:18.000Z (about 5 years ago)
• Default Branch: master
• Last Pushed: 2021-10-19T22:10:35.000Z (over 3 years ago)
• Last Synced: 2024-05-19T00:29:03.233Z (11 months ago)
• Topics: cryptography, halo, plonk, zk-snarks
• Language: Rust
• Homepage:
• Size: 837 KB
• Stars: 109
• Watchers: 7
• Forks: 13
• Open Issues: 8
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

• awesome-plonk - plonky: Recursive SNARKs based on Plonk and Halo

README

        
# Plonky

Plonky is a prototype implementation of recursive arguments. It is loosely based on [PLONK](https://eprint.iacr.org/2019/953), with a few customizations:

* While PLONK uses [KZG](https://www.iacr.org/cryptodb/data/paper.php?pubkey=23846)'s pairing-based polynomial commitment scheme, we use a batched variant of the [Halo](https://eprint.iacr.org/2019/1021) technique to recursively verify discrete log based polynomial commitments.

* The standard PLONK model was designed for arithmetic circuits; it uses a single constraint to verify additive and multiplicative relationships. We use a variety of custom gates, such as a gate which performs a step of a [Rescue](https://eprint.iacr.org/2019/426) permutation. The maximum degree of our constraints is 8, compared to 3 in standard PLONK.

* In standard PLONK, each gate interacts with three wires, which are typically thought of as two input wires and one output wire. We use a much higher arity -- 9 wires per gate -- although only 6 of them are involved in the permutation argument. The other 3 can be thought of as "advice" wires.

* The zero-knowledge technique in the Plonk paper would cause each witness polynomial's degree to slightly exceed a power of two, which doesn't work well with Halo. We use a [different blinding method](https://mirprotocol.org/blog/Adding-zero-knowledge-to-Plonk-Halo).

For more details, see [Fast recursive arguments based on Plonk and Halo](https://mirprotocol.org/blog/Fast-recursive-arguments-based-on-Plonk-and-Halo).

## Disclaimer

This code has not been thoroughly reviewed or tested, and should not be used in any production systems.