Fflonk
Presentation: https://www.youtube.com/watch?v=E5oLEqbx6F4
Introduction
When opening at a single point for polynomials, the common technique is to use a random linear combination, which requires scalar multiplications. Eliminating these operations could lead to more efficient verification. Meanwhile, in SHPlonk, when opening KZG in batch, the verifier randomly samples a point and constructs a vanishing polynomial for this point. This method allows an opening at points to be converted into an opening at a single point. However, the verifier still needs to perform computations, and reducing this cost could improve verification efficiency.
A natural question arises: can "the problem of opening at a single point for multiple polynomials" be transformed into "the problem of opening at multiple points for a single polynomial"? If possible, then leveraging SHPlonk’s method could enable more efficient batch opening for the verifier.
Background
Please read SHPlonk beforehand!
Protocol Explanation
When performing Radix-2 FFT, is decomposed into even and odd parts:
Now, consider a simple problem of opening at a single point for multiple polynomials . We define as follows:
Let , and open at :
By performing the following computations, we can retrieve and :
Thus, the original problem is transformed into opening at multiple points for a single polynomial , allowing us to apply SHPlonk’s batch opening method.
To generalize this approach to polynomials, we need a way to combine into a single polynomial and derive from .
Polynomial Combination and Decomposition
To merge multiple polynomials into one, we define the following functions:
: This constructs from :
: This extracts from .
By definition, we have:
By the way, is just introduced, but not actually used in this protocol!
Finding from
Next, we define a function to derive the set of opening points from :
: This determines the point set :
where satisfies:
for
must be a divisor of , and is the -th root of unity.
For example, if , meaning , and we want to open at , we construct:
The corresponding root set is:
This is because since .
Opening at gives:
Remember that by definition!
By computing:
we can recover .
Opening Multiple Polynomials at Multiple Points
Consider the same example from SHPlonk:
is opened at with value .
is opened at with values .
is opened at with values .
Let , then we compute , determine and , and perform a batch opening with .
Let's set the maximum allowable number of polynomials as . Then, if there are polynomials of degree , and each polynomial is opened at points, the computational costs are as follows:
The number of opening sets :
size:
Prover work:
Proof length:
Verifier work:
Here, represents scalar multiplication in , represents addition or multiplication in , and denotes a pairing operation.
Conclusion
Fflonk further optimizes batch opening protocols using a trick inspired by FFT, (that's why the name starts with ff, which denotes "fast fourier") reducing verifier work while maintaining prover efficiency and proof size. This makes it particularly well-suited for large-scale applications where minimizing verifier overhead is critical. In https://ethresear.ch/t/on-the-gas-efficiency-of-the-whir-polynomial-commitment-scheme/21301, it says verifying groth16 and fflonk proofs costs are almost identical.
TODO(chokobole): compare the prover performance between groth16 and fflonk.
References
Last updated