Polygon Zero’s mission is simple: to use zero-knowledge proofs to scale Ethereum to a billion users, without compromising decentralization or security. Achieving this requires fast and efficient proof systems. Today, we’re excited to share Plonky2, a major milestone for zero-knowledge cryptography.
Plonky2 is a recursive SNARK that is 100x faster than existing alternatives and natively compatible with Ethereum. It combines PLONK and FRI for the best of STARKs, with fast proofs and no trusted setup, and the best of SNARKs, with support for recursion and low verification cost on Ethereum.
Plonky2 represents the latest step in Polygon’s ongoing commitment to building the future of Ethereum, and we’re proud to share our work with the Ethereum community.
If zero-knowledge proofs have a superpower, it’s recursion. SNARKs can verify arbitrary computations, and, since verifying a SNARK is a computation, SNARKs can verify other SNARKs.
To see why that’s useful, suppose that we want to prove that a batch of 1,000 transactions are valid. Generating a single proof to verify 1,000 transactions at once would be expensive and time-consuming.
Instead, we can take 1,000 machines and generate 1,000 proofs in parallel, one for each transaction. Next, we can take these transaction proofs and recursively aggregate them by generating a layer of recursive proofs, with each one verifying two transaction proofs. We repeat this process until we’re left with a single proof that verifies 1,000 transactions.
The recursive approach is faster, less resource-intensive, and can be more decentralized.
Recursive proofs are critical for blockchain scalability. When we started Mir (now Polygon Zero) in 2019, it took two minutes on a fast computer to generate a single recursive proof. 2020 brought recursive proofs to Ethereum with 60 second proving times, and the invention of Halo delivered faster recursive proofs, but without Ethereum compatibility.
In 2021, we had an audacious goal: sub-1 second recursive proofs on Ethereum. We realized that FRI, the polynomial commitment scheme used in STARKS, could offer a significant performance improvement for recursive SNARKs. At the time, this wasn’t obvious. Fractal, the only existing implementation of recursive FRI, took about 10 minutes to generate a proof.
However, FRI has some exciting properties. It allows us to use 64-bit fields, and our team discovered the Goldilocks Field, whose modulus enables extremely efficient field arithmetic on modern CPUs. When combined with PLONK, FRI allows us to write custom gates with many more wires, so we can write circuits that are optimized for efficient recursion.
This combination of mathematical insight, deep expertise in zero-knowledge cryptography, and amazing low-level optimizations allowed us to make a significant breakthrough. A recursive proof on Plonky2 takes just 170 milliseconds on a Macbook Pro, a 100x improvement over existing alternatives.
Plonky2 also allows us to speed up proving times for proofs that don’t involve recursion. With FRI, you can either have fast proofs that are big (so they’re more expensive to verify on Ethereum), or you can have slow proofs that are small. Constructions that use FRI, like the STARKs that Starkware uses in their ZK-rollups, have to choose; they can’t have maximally fast proving times and proof sizes that are small enough to reasonably verify on Ethereum.
Plonky2 eliminates this tradeoff. In cases where proving time matters, we can optimize for maximally fast proofs. When these proofs are recursively aggregated, we’re left with a single proof that can be verified in a small circuit. At this point, we can optimize for proof size. We can shrink our proof sizes down to 45kb with only 20s of proving time (not a big deal since we only generate when we submit to Ethereum), dramatically reducing costs relative to Starkware.
Excitingly, Plonky2 is natively compatible with Ethereum. Plonky2 requires only keccak-256 to verify a proof. We’ve estimated that the gas cost to verify a plonky2 size-optimized proof on Ethereum will be approximately 1 million gas.
However, this cost is dominated by the CALLDATA costs to publish the proof on Ethereum. If CALLDATA is repriced in EIP-4488, the verification cost of a plonky2 proof will drop to between 170-200k gas, which could make it not only the fastest proving system, but also the cheapest to verify on Ethereum.
Last year, Polygon laid out its commitment to supporting ZK scaling. This represented an important transition, as Polygon moved from providing an essential solution for the present to building the future of Ethereum scaling. Plonky2 is an important step on this journey, and a major breakthrough for the entire space.
ZK L2s have benefited from a lot of hype, but current solutions rely on cryptographic primitives that are inefficient and limit scalability. Ultimately, L2’s will compete on throughput and cost, and Plonky2 gives the Polygon ecosystem the opportunity to build the most performant and scalable L2s.