Hey! I'm David, the author of the Real-World Cryptography book. I'm a crypto engineer at O(1) Labs on the Mina cryptocurrency, previously I was the security lead for Diem (formerly Libra) at Novi (Facebook), and a security consultant for the Cryptography Services of NCC Group. This is my blog about cryptography and security and other related topics that I find interesting.

Quick access to articles on this page:

more on the next page...

How does PLONK work? Part 10: The Kate polynomial commitment scheme posted August 2021

In this tenth video, I explain how the Kate polynomial commitment scheme works. For more information about it, check this other blogpost I wrote. This polynomial commitment scheme will be useful to force the prover to commit to its polynomials before learning the random point they need to be evaluated at.

comment on this story

How does PLONK work? Part 9: Our final protocol! (Without the copy constraints) posted August 2021

In this ninth video, I explain what polynomial commitment schemes are as well as their API. I also mention the Kate polynomial commitment scheme (KZG), based on pairings, and bootle/bulletproof types of polynomial commitments schemes, based on inner products.

comment on this story

How does PLONK work? Part 8: A polynomial dance posted August 2021

In this eighth video, I explain how the prover and the verifier can perform a "polynomial dance" in order to construct the circuit polynomial $f$. The principle is simple: the prover doesn't want to leak information about the private inputs and the intermediary values in the circuit, and the verifier doesn't want to give the prover too much freedom in the way they construct the circuit polynomial $f$.

comment on this story

How does PLONK work? Part 7: A sketch protocol with our polynomial posted August 2021

In this seventh video, I explain how we use our circuit polynomial $f$ in a protocol between a prover and a verifier to prove succinctly that $f$ vanishes on a number of specified points.

Stay tuned for part 9... Part 8 is here. Check the full series here.

comment on this story

How does PLONK work? Part 6: From constraint systems to polynomials posted August 2021

In this sixth video, I explain the compilation, or even compression, of a set of equations into a single polynomial. That polynomial represents all of our constraints, as long as it vanishes in an agreed set of points. With a polynomial in hand, we will be able to create a protocol with our polynomial-based proof system.

comment on this story

How does PLONK work? Part 5: From arithmetic circuits to constraint systems posted August 2021

In this fifth video, I explain how we can "compile" an arithmetic circuit into something PLONK can understand: a constraint system. Specifically, a PLONK-flavored constraint system, which is a series of equations that must if equal to zero correctly describe our program (or circuit).

comment on this story

How does PLONK work? Part 4: From programs to arithmetic circuits posted August 2021

In this fourth video, I explain the "arithmetization" of our program into so-called arithmetic circuits. You can see this as "encoding" programs into math, so that we can use cryptography on them.

comment on this story

How does PLONK work? Part 3: Starting with the end: polynomials posted August 2021

In this third video, I start by explaining what the protocol will use at the end: polynomials. It'll give you a glimpse as to what direction we'll be taking when we transform our program into something we can prove.

comment on this story