Hey! I'm David, the author of the Real-World Cryptography book. I'm a crypto engineer at O(1) Labs on the Mina cryptocurrency, previously I was the security lead for Diem (formerly Libra) at Novi (Facebook), and a security consultant for the Cryptography Services of NCC Group. This is my blog about cryptography and security and other related topics that I find interesting.

# How does PLONK work? Part 8: A polynomial dance posted August 2021

In this eighth video, I explain how the prover and the verifier can perform a "polynomial dance" in order to construct the circuit polynomial $f$. The principle is simple: the prover doesn't want to leak information about the private inputs and the intermediary values in the circuit, and the verifier doesn't want to give the prover too much freedom in the way they construct the circuit polynomial $f$.

comment on this story

# How does PLONK work? Part 7: A sketch protocol with our polynomial posted August 2021

In this seventh video, I explain how we use our circuit polynomial $f$ in a protocol between a prover and a verifier to prove succinctly that $f$ vanishes on a number of specified points.

Stay tuned for part 9... Part 8 is here. Check the full series here.

comment on this story

# How does PLONK work? Part 6: From constraint systems to polynomials posted August 2021

In this sixth video, I explain the compilation, or even compression, of a set of equations into a single polynomial. That polynomial represents all of our constraints, as long as it vanishes in an agreed set of points. With a polynomial in hand, we will be able to create a protocol with our polynomial-based proof system.

comment on this story

# How does PLONK work? Part 5: From arithmetic circuits to constraint systems posted August 2021

In this fifth video, I explain how we can "compile" an arithmetic circuit into something PLONK can understand: a constraint system. Specifically, a PLONK-flavored constraint system, which is a series of equations that must if equal to zero correctly describe our program (or circuit).

comment on this story

# How does PLONK work? Part 4: From programs to arithmetic circuits posted August 2021

In this fourth video, I explain the "arithmetization" of our program into so-called arithmetic circuits. You can see this as "encoding" programs into math, so that we can use cryptography on them.

comment on this story

# How does PLONK work? Part 3: Starting with the end: polynomials posted August 2021

In this third video, I start by explaining what the protocol will use at the end: polynomials. It'll give you a glimpse as to what direction we'll be taking when we transform our program into something we can prove.

comment on this story

# How does PLONK work? Part 2: An overview posted August 2021

In this second video, I give some intuition on how to think about zero-knowledge proof systems, with the example of proving the solution of a sudoku, then I give an overview of what I'll explain in this series of video.

comment on this story

# How does PLONK work? Part 1: What's PLONK? posted August 2021

I recently got into general-purpose zero-knowledge proof systems (cryptographic primitives that allow you to prove the execution of a program without revealing some of the inputs), specifically the state-of-the-art PLONK proof system. This is a series of video I made to explain what I understood and learned in the past few months. There might be some inaccuracies, so I apologize in advance for that. You can check all the videos via the playlist here: https://www.youtube.com/watch?v=RUZcam_jrz0&list=PLBJMt6zV1c7Gh9Utg-Vng2V6EYVidTFCC

In this first video, I simply explain what general-purpose zero-knowledge proofs are, specifically zk-SNARKs, and what PLONK is.

comment on this story