<buttonid="sidebar-toggle"class="icon-button"type="button"title="Toggle Table of Contents"aria-label="Toggle Table of Contents"aria-controls="sidebar">
<ahref="../print.html"title="Print this book"aria-label="Print this book">
<iid="print-button"class="fa fa-print"></i>
</a>
</div>
</div>
<divid="search-wrapper"class="hidden">
<formid="searchbar-outer"class="searchbar-outer">
<inputtype="search"name="search"id="searchbar"name="searchbar"placeholder="Search this book ..."aria-controls="searchresults-outer"aria-describedby="searchresults-header">
<p>The arithmetization used by Halo 2 comes from <ahref="https://eprint.iacr.org/2019/953">PLONK</a>, or
more precisely its extension UltraPLONK that supports custom gates and lookup arguments. We'll
call it <em><strong>UPA</strong></em> (<em><strong>UltraPLONK arithmetization</strong></em>).</p>
<blockquote>
<p>The term UPA and some of the other terms we use to describe it are not used in the PLONK
paper.</p>
</blockquote>
<p><em><strong>UPA circuits</strong></em> are defined in terms of a rectangular matrix of values. We refer to
<em><strong>rows</strong></em>, <em><strong>columns</strong></em>, and <em><strong>cells</strong></em> of this matrix with the conventional meanings.</p>
<p>A UPA circuit depends on a <em><strong>configuration</strong></em>:</p>
<ul>
<li>
<p>A finite field <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68889em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathbb">F</span></span></span></span></span>, where cell values (for a given instance and witness) will be
elements of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68889em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathbb">F</span></span></span></span></span>.</p>
</li>
<li>
<p>The number of columns in the matrix, and a specification of each column as being
<em><strong>fixed</strong></em>, <em><strong>advice</strong></em>, or <em><strong>auxiliary</strong></em>. Fixed columns are fixed by the circuit;
advice columns correspond to witness values; and auxiliary columns are used for public inputs.</p>
</li>
<li>
<p>A subset of the columns that can participate in equality constraints.</p>
<p>A sequence of <em><strong>polynomial constraints</strong></em>. These are multivariate polynomials over
<spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.68889em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord mathbb">F</span></span></span></span></span> that must evaluate to zero <em>for each row</em>. The variables in a polynomial
constraint may refer to a cell in a given column of the current row, or a given column of
another row relative to this one (with wrap-around, i.e. taken modulo <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">n</span></span></span></span>). The maximum
degree of each polynomial is given by the polynomial degree bound.</p>
</li>
<li>
<p>A sequence of <em><strong>lookup arguments</strong></em> defined over tuples of <em><strong>input columns</strong></em> and
<em><strong>table columns</strong></em>.</p>
</li>
</ul>
<p>A UPA circuit also defines:</p>
<ul>
<li>
<p>The number of rows <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">n</span></span></span></span> in the matrix. <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.43056em;vertical-align:0em;"></span><spanclass="mord mathnormal">n</span></span></span></span> must correspond to the size of a multiplicative
subgroup of <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.771331em;vertical-align:0em;"></span><spanclass="mord"><spanclass="mord"><spanclass="mord mathbb">F</span></span><spanclass="msupsub"><spanclass="vlist-t"><spanclass="vlist-r"><spanclass="vlist"style="height:0.771331em;"><spanstyle="top:-3.063em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mbin mtight">×</span></span></span></span></span></span></span></span></span></span></span>; typically a power of two.</p>
</li>
<li>
<p>A sequence of <em><strong>equality constraints</strong></em>, which specify that two given cells must have equal
values.</p>
</li>
<li>
<p>The values of the fixed columns at each row.</p>
</li>
</ul>
<p>From a circuit description we can generate a <em><strong>proving key</strong></em> and a <em><strong>verification key</strong></em>,
which are needed for the operations of proving and verification for that circuit.</p>
<blockquote>
<p>Note that we specify the ordering of columns, polynomial constraints, lookup arguments, and
equality constraints, even though these do not affect the meaning of the circuit. This makes
it easier to define the generation of proving and verification keys as a deterministic
process.</p>
</blockquote>
<p>Typically, a configuration will define polynomial constraints that are switched off and on by
<em><strong>selectors</strong></em> defined in fixed columns. For example, a constraint <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.63889em;vertical-align:-0.19444em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.03588em;">q</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.31166399999999994em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.03588em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">i</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span><spanclass="mbin">⋅</span><spanclass="mspace"style="margin-right:0.2222222222222222em;"></span></span><spanclass="base"><spanclass="strut"style="height:1em;vertical-align:-0.25em;"></span><spanclass="mord mathnormal">p</span><spanclass="mopen">(</span><spanclass="mord">.</span><spanclass="mord">.</span><spanclass="mord">.</span><spanclass="mclose">)</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">0</span></span></span></span> can
be switched off for a particular row <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.65952em;vertical-align:0em;"></span><spanclass="mord mathnormal">i</span></span></span></span> by setting <spanclass="katex"><spanclass="katex-html"aria-hidden="true"><spanclass="base"><spanclass="strut"style="height:0.625em;vertical-align:-0.19444em;"></span><spanclass="mord"><spanclass="mord mathnormal"style="margin-right:0.03588em;">q</span><spanclass="msupsub"><spanclass="vlist-t vlist-t2"><spanclass="vlist-r"><spanclass="vlist"style="height:0.31166399999999994em;"><spanstyle="top:-2.5500000000000003em;margin-left:-0.03588em;margin-right:0.05em;"><spanclass="pstrut"style="height:2.7em;"></span><spanclass="sizing reset-size6 size3 mtight"><spanclass="mord mathnormal mtight">i</span></span></span></span><spanclass="vlist-s"></span></span><spanclass="vlist-r"><spanclass="vlist"style="height:0.15em;"><span></span></span></span></span></span></span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span><spanclass="mrel">=</span><spanclass="mspace"style="margin-right:0.2777777777777778em;"></span></span><spanclass="base"><spanclass="strut"style="height:0.64444em;vertical-align:0em;"></span><spanclass="mord">0</span></span></span></span>. In this case we sometimes refer
to a set of constraints controlled by a set of selector columns that are designed to be used
together, as a <em><strong>gate</strong></em>. Typically there will be a <em><strong>standard gate</strong></em> that supports generic
operations like field multiplication and division, and possibly also <em><strong>custom gates</strong></em> that