ZKP学习笔记

Lecture 5: The Plonk SNARK (Dan Boneh)

general SNARK
- A polynomial commitment scheme + A polynomial interactive oracle proof (IOP)
Review: polynomial commitments
The KZG poly-commit scheme
- commit
  - a binding commitment, but not hiding
- Eval
  - The verifier does not know $\tau$: using a “paring” (only need H0,H1 from gp)
- Generalizations
  - Can also use KZG to commit to k-variate polynomials [PST’13]
- Batch proofs
- Properties of KZG: linear time commitment
- KZG fast multi-point proof generation
- The Dory polynomial commitment
- PCS has many applications(KZG batch proof, proof shorter than merkle tree proof)[Verkle Trees]