PLONK (Permutations over Lagrange-bases for Oecumenical Noninteractive arguments of Knowledge) is a breakthrough zkSNARK construction introduced by Gabizon, Williamson, and Ciobotaru at the IACR 2019. Its key innovation over Groth16: a universal and updatable structured reference string (SRS) — meaning a single trusted setup ceremony generates keys usable by any circuit up to a maximum size, eliminating the need for per-circuit ceremonies. This makes PLONK vastly more practical for programmable blockchain applications where new circuits are constantly being developed. The tradeoff: PLONK proofs are ~500 bytes (vs. Groth16’s 192 bytes) and verification takes ~2ms (vs. 1ms). PLONK uses KZG polynomial commitments as its commitment scheme, enabling the universal SRS. PLONK spawned a family of descendants: TurboPlonk (custom gates), UltraPLONK (lookup tables via Plookup), Halo2 (IPA-based, no trusted setup) — and is now the underlying proof system for Aztec Network’s private EVM and most production zkEVMs.
Universal Setup vs. Circuit-Specific Setup
Groth16 (circuit-specific):
- Ceremony per circuit → 100 circuits = 100 ceremonies
- Proving/verification keys tied to circuit structure
- Cannot reuse ceremony for new circuits
PLONK (universal):
- One ceremony generates SRS up to degree d
- Any circuit with ≤ d gates uses the same SRS
- Add a new circuit → no new ceremony needed
- SRS is updatable: new participants can contribute additional entropy even post-deployment (strictly increases security)
KZG Polynomial Commitments
PLONK’s core primitive is KZG commitments (Kate-Zaverucha-Goldberg, 2010):
- Commit to polynomial f(x) by publishing [f(τ)]G (τ is the secret from ceremony)
- Open at point z: reveal f(z) and a proof π that this is correct
- Verifier checks using pairing: e([f(τ)]G, G) = e(π, [τ-z]G) · e([f(z)]G, G)
This enables PLONK to prove polynomial identities hold over a domain without revealing the polynomials — the foundation of the universal SNARK construction.
PLONK Arithmetization
Unlike Groth16’s R1CS, PLONK uses its own “PLONK arithmetization”:
- Gates: Selector polynomials choose between add/multiply/custom operations
- Wiring: Permutation argument ensures signals are consistently used
- Copy constraints: Ensures the same signal value appears in multiple positions
PLONK Family
| Variant | Key Addition | Used By |
|---|---|---|
| PLONK | Universal setup | Base system |
| TurboPlonk | Custom gates | Aztec v2 |
| UltraPLONK | Lookup tables (Plookup) | Aztec v3 / Noir |
| Halo2 | IPA (no trusted setup) | Zcash Orchard, Scroll |
| HyperPlonk | Multilinear extension | Research |
| Fflonk | Faster verification | Polygon zkEVM |
Sources
- Gabizon, Williamson, Ciobotaru — PLONK: Permutations over Lagrange-bases (IACR ePrint 2019/953) — the original PLONK paper; foundational reference for all claims about proof size, universal SRS, and KZG commitments.
- Aztec Network — PLONK Implementation — production implementation in Aztec and explanations of TurboPlonk and UltraPLONK extensions.
- ZKProof Community — PLONK Reference — standardization community reference for ZK proof systems.
Related Terms
Sources
- “PLONK: Permutations over Lagrange-bases for Oecumenical Noninteractive arguments of Knowledge” — Gabizon, Williamson, Ciobotaru (2019). The original PLONK paper — introducing the universal zkSNARK, definiting the arithmetization, KZG commitment scheme, and proving system, with formal security proofs.
- “UltraPLONK: Efficient Range Proofs and Lookups for PLONK” — Williamson / Aztec Network (2020). Introducing the Plookup extension to PLONK — enabling lookup tables that dramatically reduce constraint count for operations like range checks, bitwise operations, and XOR.) require bit decomposition in base R1CS/PLONK: 32 boolean constraints for each bit; for operations like XOR (two 8-bit inputs → 8-bit output), need 24 constraints; Plookup solution: maintain a table T of precomputed (input1, input2, output) tuples; prove that query (a, b, c) is in table T using a polynomial multiset equality check; constraint count: range check with Plookup: 1 lookup constraint instead of 32 bit constraints (32× reduction); XOR with Plookup: 1 constraint instead of 24; SHA-256 circuit with Plookup: reduced from 27,000 constraints to ~8,000; hash operations (non-ZK-friendly): Keccak-256 with Plookup: ~10,000 constraints vs. ~150,000 without; impact on zkEVM: Ethereum EVM uses Keccak extensively (memory addresses, state root computation); Keccak is the primary constraint bottleneck for zkEVM proving; Plookup makes zkEVM 10-15× more efficient for Keccak operations; UltraPLONK = standard PLONK + Plookup lookup argument; production use: Aztec Network Noir compiler targets UltraPLONK; Polygon zkEVM uses Plookup for Keccak acceleration in its PIL (Polynomial Identity Language) arithmetization.]
- “Halo2: Recursive Proofs Without Trusted Setup” — Bowe, Grigg, Hopwood (Zcash / ECC, 2019-2021). Introduction of the Halo technique enabling recursive proof composition without trusted setup, later refined into the Halo2 proving system using IPA (Inner Product Argument) polynomial commitments.
- “The Aztec Ignition Ceremony: PLONK Universal Trusted Setup” — Aztec Network (2020). Documentation of Aztec’s “Ignition” trusted setup ceremony — the generation of PLONK’s universal SRS, involving 176 participants and establishing the cryptographic foundation for Aztec’s private EVM.
- “PLONK Verification On-Chain: Gas Costs and Optimization” — Ethereum Research (2022). Analysis of on-chain PLONK proof verification costs — examining verifier contract gas costs, calldata costs, and optimization techniques for production zkRollup deployment.