Definition:
PLONK is a zero-knowledge proof system that achieves a universal trusted setup — a single Multi-Party Computation (MPC) ceremony produces public parameters usable for any circuit up to a specified size constraint — eliminating the need for per-application ceremonies while maintaining the succinct proof size and fast verification of ZK-SNARKs. Published in 2019 by Ariel Gabizon, Zachary Williamson, and Oana Ciobotaru, PLONK became the dominant SNARK backend for ZK applications after Groth16, used by projects including zkSync Era, Aztec Network, Dusk Network, and numerous others.
The Problem PLONK Solved
The dominant ZK-SNARK before PLONK was Groth16, which requires a circuit-specific trusted setup:
- Each different application must run its own MPC ceremony
- A new circuit version (even a minor update) requires a new ceremony
- Running a secure MPC ceremony is expensive and logistically complex (coordinating dozens of participants)
Zcash’s Sapling parameter generation required a dedicated multi-party ceremony in 2017. Running this ceremony for every DeFi application or ZK-rollup would be impractical.
PLONK’s solution: A universal setup — one ceremony (e.g., “Ignition,” organized by Aztec Network in 2019 with 176 participants) generates a structured reference string (SRS) usable for any PLONK circuit up to a given complexity bound. New circuits don’t need new ceremonies.
Technical Overview
Polynomial commitment scheme: PLONK uses KZG commitments (Kate-Zaverucha-Goldberg) to commit to polynomials compactly. The prover encodes the witness and circuit constraints as polynomials, creates KZG commitments, and the verifier checks these commitments without seeing the polynomials.
Permutation argument: The “P” in PLONK refers to the use of permutations to check wiring constraints — ensuring values are correctly passed between gates in the circuit.
Custom gates: PLONK’s architecture allows adding specialized computation gates (beyond basic add/multiply), reducing circuit size for common operations (e.g., elliptic curve operations, hash functions).
PLONK Variants
PLONK inspired numerous variants and extensions:
TurboPlonk: Custom gates + lookup arguments; used in Aztec Connect.
UltraPlonk: Adds range checks and lookup tables for more efficient circuit representation; used in Aztec and Noir.
HyperPlonk: Multilinear extension of PLONK for better prover performance.
Plonky2: Combines PLONK with FRI (a hash-function-based polynomial commitment scheme), removing the need for elliptic curve pairings. Developed by Polygon. Enables fast recursive proof composition and claimed the fastest proof generation times (2022).
Comparison to Groth16
| Feature | Groth16 | PLONK |
|---|---|---|
| Trusted setup | Circuit-specific | Universal |
| Proof size | ~200 bytes (smallest) | ~1.2 KB |
| Verification time | Fastest | Fast |
| Custom gates | No | Yes |
| Quantum security | No | No |
| Primary use today | Zcash, Filecoin | Most new ZK applications |
Groth16 retains advantages in proof size and verification speed for circuits where a trusted setup is acceptable. PLONK is preferred for new applications where a universal setup and upgradeability matter.
Adoption
- Aztec Network: Uses UltraPlonk for Aztec’s privacy-first L2
- zkSync Boojum (v2): Partially based on PLONK primitives
- Polygon Zero / Plonky2: Polygon’s custom PLONK derivative for recursive proofs
- StarkWare: Uses STARKs, not PLONK — a distinct architectural choice
- Many ZK identity projects: Use PLONK for credential proofs
Related Terms
Sources
- PLONK Paper — Original 2019 PLONK academic paper by Gabizon, Williamson, Ciobotaru.
- Aztec — PLONK Explainer — Accessible introduction to PLONK by one of its primary developers.
- Vitalik Buterin — Understanding PLONK — Technical walkthrough of PLONK’s core innovation.
- Plonky2 GitHub — Polygon’s PLONK derivative with FRI-based commitments.
Last updated: 2026-04