arithmetic circuits, KZG, and one verifier pairing

PLONK — the universal-updatable SNARK authorising state changes in a metadata-hiding registry.

A succinct non-interactive argument of knowledge for arithmetic circuits over $F_r$. The prover encodes a witness as polynomials, commits via KZG, and proves a permutation-argument identity. The verifier samples challenges via Fiat-Shamir and checks one algebraic identity with a single pairing.

~700-byte proof, verified by one CAP-0059 pairing on Stellar, one universal SRS across every circuit in the deployment. Order of magnitude larger than Groth16's 192 B; two orders smaller than FRI configurations.

~700 B
proof size
1 pairing
verifier work
KZG
commitment
BLS12-381
curve
universal
updatable setup

the shape

What a SNARK actually is: circuit and witness in, one bit out.

A prover holds a witness $w$ and a circuit $C$. They produce a short proof $\pi$ that $C(x,w)=0$ for some public input $x$, revealing nothing about $w$. The verifier reads $\pi$ and $x$, runs a fixed-cost check, and accepts or rejects. PLONK fixes the algebraic machinery: KZG over BLS12-381, Fiat-Shamir under Poseidon2, one pairing at the end.

circuit C + witness w F_r constraints public input x PROVER · OFF-CHAIN encode → commit → hash polynomials over F_r KZG commitments in G₁ Fiat-Shamir via Poseidon2 AGM + ROM π ~700 B VERIFIER · ON-CHAIN one pairing e(L, [1]₂) =? e(R, [τ]₂) G₁ MSMs + 1 pairing + verifying key (preprocessed) 0 / 1 accept / reject
Witness polynomials
over $F_r$ · 255-bit scalar field
Wire values $a(X), b(X), c(X)$ and selector polynomials $q_*(X)$ encode the circuit and its assignment as low-degree polynomials.
KZG commitments
48 B $G_1$ elements per polynomial
$[f]_1 = \sum_i f_i \tau^i G$ — each polynomial collapses to one curve point. Binding reduces to $d$-SBDH on BLS12-381.
Fiat-Shamir transcript
Poseidon2 over $F_r$
Hashes public inputs and commitments, sampling every challenge $\beta, \gamma, \alpha, \zeta$. Replaces an interactive verifier with a deterministic one.

Three objects, two algebraic domains. Steps 1–2 of the pipeline live in $F_r$, steps 3–5 in $G_1$, step 6 in $G_T$. The same colour convention runs through the rest of the page.

the pipeline, step-through

Six stages off-chain. One pairing on-chain.

From a circuit to a 700-byte proof in six moves. Each step produces a concrete object the next step consumes — polynomials, commitments, evaluations, finally one pairing equation. Step through them.

/ 06 ·

Six stages off-chain, one pairing on-chain. The ~700-byte proof is the only thing that crosses the wire.

parameters

Concrete numbers.

All values are fixed by the protocol definition or by the deployment's host-function surface. None are tunable knobs.

Curve
BLS12-381
Polynomial commitment
KZG (constant-size openings)
In-circuit hash
Poseidon2 over $F_r$
Proof size
~700 bytes
Public input — R_Mem
32 bytes
Public input — R_Upd
96 bytes
Setup
universal updatable · EF KZG SRS reuse
Verifier work
1 pairing + $G_1$ MSMs
Prover wall-clock (smallest tier)
sub-second

wiring — setup, prover, verifier

One SRS, many circuits, one pairing.

The setup runs once and produces a structured reference string usable by every circuit in the deployment. The prover runs once per proof, off-chain. The verifier runs once per proof, on-chain — three host functions, one bit of output.

Setup · once
Prover · per proof, off-chain
Verifier · per proof, on-chain
SRS
Universal updatable SRS
Ethereum Foundation KZG ceremony reuse (~141 000 contributors). Trust survives as long as one contributor was honest.
preprocessing
Per-circuit verifying key
Selector and permutation polynomials for each circuit are committed up front; the on-chain verifier reads the verifying key, not the circuit.
two relations · multiple tiers R_Mem ("I am a current member", for reads) and R_Upd ("this new commitment is the legitimate successor under the policy", for writes) compile to PLONK circuits in multiple size tiers. All share one SRS, producing a fixed verifying-key set per deployment.
F_r
Arithmetize → encode
Relation becomes gate constraints; wire values and selectors become low-degree polynomials $a(X), b(X), c(X), q_*(X)$ over $F_r$.
G₁ · MSM
KZG-commit over BLS12-381
Each polynomial collapses to a 48-byte $G_1$ commitment $[f]_1 = \sum_i f_i \tau^i G$ — one multi-scalar multiplication per commitment.
F_r · Poseidon2
Fiat-Shamir & opening
Challenges $\beta, \gamma, \alpha, \zeta$ are hashed from the transcript-so-far; prover opens all commitments at $\zeta$ and batches into one linearization.
G₁ · proof bytes
Pack ~700 B proof
$G_1$ commitments plus a handful of $F_r$ evaluations. The whole proof ships in roughly seven hundred bytes.
CAP-0059
Aggregate verifier MSM
bls12_381_g1_add bls12_381_g1_mul
Reduces all commitments and Fiat-Shamir challenges to two final $G_1$ elements $L$ and $R$.
CAP-0059
One pairing decides
bls12_381_pairing
$e(L, [1]_2) \overset{?}{=} e(R, [\tau]_2)$. The single pairing returns the one bit of output the contract reads.
on-chain
No witness, ever
The verifier sees only the proof, the public input, and the verifying key. The witness never crosses the chain boundary.

Setup and prover share the cool/blue lane tint — both run off-chain in $F_r$ and $G_1$. The verifier's lane is amber: warm, host-function-bound, the only thing the chain pays for.

security

A heuristic that holds. A break that's coming.

Two assumptions, two horizons. The classical card is the working margin today; the post-quantum card is the load-bearing caveat — and the one a deployment must say out loud.

classical · holding
AGM + ROM

Knowledge soundness in the algebraic group model; Fiat-Shamir under the random oracle.

Commitment binding reduces to the $d$-SBDH assumption on BLS12-381. Zero-knowledge holds against unbounded distinguishers in the standard model.

  • AGM is a heuristic, not a standard-model proof — a separation from the generic group model could in principle be exploited.
  • Fiat-Shamir collapses interaction to one round under the random-oracle model; in-circuit Poseidon2 is the concrete instantiation.
  • The zero-knowledge guarantee is information-theoretic against unbounded distinguishers; the only thing computational here is soundness.
post-quantum · broken under Shor
Shor

The KZG sub-component falls; PLONK falls with it.

The bound is the same as for the underlying curve — discrete log in $G_1$ on BLS12-381 is solvable in polynomial time on a CRQC, which collapses KZG's binding, which collapses PLONK's soundness. There is no graceful degradation.

  • Migration paths: FRI-based STARKs, Plonky3 with hash-based polynomial commitments, or lattice-based SNARKs.
  • Current deployment constraints depend on the host environment's precompile surface — a curve change isn't free if the chain only exposes BLS12-381 host functions.
  • Mitigation is a commitment-scheme swap, not a parameter bump.
required
Simulation-extractability is required for authorising operations like R_Upd. Every public input must enter the Fiat-Shamir transcript before any challenge is drawn. Omitting it has caused real exploitable bugs — proof malleability and rewriting public inputs in flight.

plonk vs groth16 vs fri/stark

Where PLONK sits in the trilemma.

Three working SNARK families, three different trades. Setup-trust on one axis, proof-size and PQ-stance on the other.

Groth16

pairing-based · per-circuit MPC
Setup
per-circuit MPC ceremony
Proof size
192 B
Verifier work
3 pairings
PQ stance
broken under Shor
Representative deployments
Tornado Cash, Semaphore
this page

PLONK

pairing-based · universal updatable
Setup
universal updatable · one SRS, many circuits
Proof size
~700 B
Verifier work
1 pairing
PQ stance
broken under Shor
Representative deployments
universal-updatable SNARK stacks on pairing-friendly chains

FRI / STARK

hash-based · transparent
Setup
transparent · no trusted setup
Proof size
~50–200 KB · config-dependent
Verifier work
hash verifier
PQ stance
conjectured PQ-secure
Representative deployments
StarkNet, Plonky3

Universal-updatable vs per-circuit-MPC is the trust-posture differentiator vs Groth16. Proof-size vs PQ-stance is the differentiator vs STARKs. PLONK trades the post-quantum break for two orders of magnitude smaller proofs.

references

Primary literature.

Five sources. The PLONK paper, the KZG paper, the curve construction, the Fiat-Shamir security note, and the Groth16 paper for the size baseline.