Crypto Gloss

PLONK: Permutations over Lagrange-bases for Oecumenical Noninteractive arguments of Knowledge

Authors Gabizon, Ariel; Williamson, Zachary J.; Ciobotaru, Oana
Year 2019
Project PLONK
License Creative Commons
Official Source https://eprint.iacr.org/2019/953

This page is an educational summary and analysis of an official whitepaper or technical paper, written for reference purposes. It is not a verbatim reproduction. CryptoGloss does not claim authorship of the original work. All intellectual property rights remain with the original author(s). The official document is linked above.

“PLONK: Permutations over Lagrange-bases for Oecumenical Noninteractive arguments of Knowledge” is a paper by Ariel Gabizon (formerly Zcash/ECC), Zachary J. Williamson (Aztec Network), and Oana Ciobotaru, published at IACR ePrint in 2019. PLONK introduces a zk-SNARK that uses a universal and updateable structured reference string (SRS) — a single trusted setup that works for any circuit up to a maximum size, removing the need for circuit-specific ceremonies that make Groth16 operationally burdensome.

Since 2020, PLONK and its variants (TurboPlonk, UltraPlonk, Halo2, Plonky2) have become the dominant SNARK proving system for new ZK applications: zkSync, Scroll, Aztec, Polygon PLONK, JellyFish, Hyperplonk, and many others.

> PDF hosting: The PLONK paper is at eprint.iacr.org/2019/953.

Publication and Context

Groth16, while efficient, required a fresh trusted setup for every application-specific circuit. For a company deploying multiple ZK applications (or iterating on a circuit frequently), this was operationally painful and a trust burden.

Universal SNARKs — systems where one setup works for all circuits — had been explored theoretically but were either too slow or too large. PLONK achieved practical universal SNARKs by:

  1. Using Lagrange polynomial representation of circuits (allowing efficient variable-number-of-gates computation)
  2. A novel permutation argument to enforce wire equality constraints
  3. A polynomial commitment scheme (KZG commitments over BLS12-381) for efficient verification

“Oecumenical” in the title is a scholarly term meaning “universal” — PLONK is the universal SNARK.

PLONK’s Circuit Representation

Where Groth16 compiles to R1CS (rank-1 constraints: a·b = c), PLONK uses arithmetic gates directly in a table format:

Each gate has:

  • Left input wire: $a_i$
  • Right input wire: $b_i$
  • Output wire: $c_i$
  • Selector polynomials: $q_L, q_R, q_O, q_M, q_C$ defining the gate type

Gate constraint:

$$q_M cdot a_i cdot b_i + q_L cdot a_i + q_R cdot b_i + q_O cdot c_i + q_C = 0$$

This gate handles:

  • Multiplication: $a_i cdot b_i = c_i$ (set $q_M=1, q_O=-1$)
  • Addition: $a_i + b_i = c_i$ (set $q_L=q_R=1, q_O=-1$)
  • Constants: arbitrary linear combinations

Permutation argument (copy constraints):

If wire $a_3$ must equal wire $c_7$ (e.g., the output of one gate is the input to another), PLONK encodes this using a permutation of wire indices and proves that the actual values satisfy this permutation via a grand product argument. This is the “P” in PLONK.

Universal and Updateable SRS

The key innovation: PLONK’s structured reference string (SRS) consists of:

  • ${[x^i]_1}_{i=0}^{n}$ (powers of a secret scalar x in group $G_1$)
  • $[x]_2$ (one element in $G_2$)

This SRS works for any circuit with at most $n$ gates. The same SRS generated by the Powers of Tau ceremony used by one SNARK application can be reused by all other SNARK applications that fit within the size limit.

Updateable: New participants can contribute fresh randomness to the SRS at any time, strengthening the security assumption without restarting from scratch.

PLONK Extensions

The original PLONK paper immediately spawned several extensions:

TurboPlonk / UltraPlonk (Aztec, 2020):

Added custom gates — PLONK’s standard gates are general, but custom gates encode specific operations (e.g., elliptic curve point addition, range checks) in a single gate rather than many generic gates. This dramatically reduces circuit size for specific operations.

Halo2 (Zcash ECC, 2020):

Combines PLONK with the Halo recursive proof system and uses Pedersen commitments instead of KZG. This achieves a fully transparent (no trusted setup) SNARK with recursive proof composition. Used in Zcash’s Orchard pool and Scroll’s zkEVM.

Plonky2 (Polygon, 2022):

Combines PLONK with FRI (STARKs’ main component) instead of KZG for fast, transparent, recursive proofs over small fields. Achieves recursive aggregation in ~170ms — key for fast proof composition.

Hyperplonk, Boojum, etc.: Further variants focusing on multilinear extensions, look-up tables, and GPU acceleration.

Proof Size vs. Groth16

Property Groth16 PLONK
Proof size ~200 bytes ~400–600 bytes
Trusted setup Circuit-specific Universal (one for all circuits up to n gates)
Verification time Very fast (1 equation) Moderate (multiple equations)
Custom logic Hard (R1CS) Easy (custom gates)
Dominant use Legacy/Zcash/Tornado All major new ZK systems

Reality Check

PLONK’s universal setup is genuinely more practical than Groth16’s per-circuit-setup model. In production, however, many systems still use KZG-based PLONK (which requires the Powers of Tau ceremony) rather than fully transparent variants. The “updateable” property is rarely exercised in practice — most teams use an existing trusted Powers of Tau ceremony rather than organizing new contributions.

Custom gates (TurboPlonk/UltraPlonk) dramatically improve circuit sizes but significantly increase circuit design complexity — requiring specialized engineers to write optimal circuits.

Legacy

PLONK is arguably the most influential zk-SNARK paper since Groth16. It directly powers:

  • Aztec Network (Noir programming language)
  • zkSync (Boojum, a PLONK variant)
  • Scroll (Halo2-based zkEVM)
  • Polygon (Plonky2 recursive proofs)
  • Mina Protocol (Kimchi, a PLONK variant)
  • Many others

The PLONK framework’s extensibility — especially custom gates and lookup tables — has become the standard building block for zkEVM circuit design.

Related Terms

Research

  • Gabizon, A., Williamson, Z.J., & Ciobotaru, O. (2019). PLONK: Permutations over Lagrange-bases for Oecumenical Noninteractive arguments of Knowledge. IACR ePrint 2019/953.

— Primary source. Section 5 proves the permutation argument; Section 8 gives the full protocol description.

  • Gabizon, A., & Williamson, Z.J. (2020). plookup: A simplified polynomial protocol for lookup tables. IACR ePrint 2020/315.

— Extension of PLONK with efficient lookup arguments; enables efficient range checks and hash lookups.

  • Groth, J. (2016). On the Size of Pairing-Based Non-Interactive Arguments. EUROCRYPT 2016.

— Groth16, the preceding system; PLONK explicitly addresses Groth16’s circuit-specific setup limitation.