# 解释SNARKs 第5部分：从计算到多项式

``````原文出自：https://blog.z.cash/snark-explain5/

``````

In the three previous parts, we developed a certain machinery for dealing with polynomials. In this part, we show how to translate statements we would like to prove and verify to the language of polynomials. The idea of using polynomials in this way goes back to the groundbreaking work of Lund, Fortnow, Karloff and Nisan.

In 2013, another breakthrough work of Gennaro, Gentry, Parno and Raykova defined an extremely useful translation of computations into polynomials called a Quadratic Arithmetic Program (QAP). QAPs have become the basis for modern zk-SNARK constructions, in particular those used by Zcash.

In this post we explain the translation into QAPs by example. Even when focusing on a small example rather than the general definition, it is unavoidable that it is a lot to digest at first, so be prepared for a certain mental effort :).

Suppose Alice wants to prove to Bob she knows c1,c2,c3∈Fp such that (c1⋅c2)⋅(c1+c3)=7. The first step is to present the expression computed from c1,c2,c3 as an arithmetic circuit.

#### 数字电路

An arithmetic circuit consists of gates computing arithmetic operations like addition and multiplication, with wires connecting the gates. In our case, the circuit looks like this:

The bottom wires are the input wires, and the top wire is the output wire giving the result of the circuit computation on the inputs.

As can be seen in the picture, we label the wires and gates of the circuit in a very particular way, that is needed for the next step of translating the circuit into a QAP:

1. When the same outgoing wire goes into more than one gate, we still think of it as one wire – like w1 in the example.

2. We assume multiplication gates have exactly two input wires, which we call the left wire and right wire.

3. We don’t label the wires going from an addition to multiplication gate, nor the addition gate; we think of the inputs of the addition gate as going directly into the multiplication gate. So in the example we think of w1 and w3 as both being right inputs of g2.

1. 当相同的输出节点输出到不止一个门的时候，我们认为他是同一条，就像例子中的w1

2. 我们假设乘法门有两个输入线，我们将其称为左输入线和右输入线。

3. 我们不会标记从加法门到乘法门的线，也不会标记加法门；我们认为加法门的输入直接进入到乘法门中。因此，在例子中，我们认为w1w3都是g2的右输入。

A legal assignment for the circuit, is an assignment of values to the labeled wires where the output value of each multiplication gate is indeed the product of the corresponding inputs.

So for our circuit, a legal assignment is of the form: (c1,…,c5) where c4=c1⋅c2 and c5=c4⋅(c1+c3).

In this terminology, what Alice wants to prove is that she knows a legal assignment (c1,…,c5) such that c5=7. The next step is to translate this statement into one about polynomials using QAPs.

#### 还原一个QAP

We associate each multiplication gate with a field element: g1 will be associated with 1∈Fp and g2 with 2∈Fp. We call the points {1,2} our target points. Now we need to define a set of “left wire polynomials” L1,…,L5, “right wire polynomials” R1,…,R5 and “output wire polynomials” O1,…,O5.

The idea for the definition is that the polynomials will usually be zero on the target points, except the ones involved in the target point’s corresponding multiplication gate.

Concretely, as w1,w2,w4 are, respectively, the left, right and output wire of g1; we define L1=R2=O4=2−X, as the polynomial 2−X is one on the point 1 corresponding to g1 and zero on the point 2 corresponding to g2.

Note that w1 and w3 are both right inputs of g2. Therefore, we define similarly L4=R1=R3=O5=X−1 – as X−1 is one on the target point 2 corresponding to g2 and zero on the other target point.

We set the rest of the polynomials to be the zero polynomial.

Given fixed values (c1,…,c5) we use them as coefficients to define a left, right, and output “sum” polynomials. That is, we define

L:=∑(5,i=1) ci⋅Li
R:=∑(5,i=1) ci⋅Ri
O:=∑(5,i=1) ci⋅Oi

and then we define the polynomial P:=L⋅R−O.

L:=∑(5,i=1) ci⋅Li
R:=∑(5,i=1) ci⋅Ri
O:=∑(5,i=1) ci⋅Oi

Now, after all these definitions, the central point is this: (c1,…,c5) is a legal assignment to the circuit if and only if P vanishes on all the target points.

Let’s examine this using our example. Suppose we defined L,R,O,P as above given some c1,…,c5. Let’s valuate all these polynomials at the target point 1:

Out of all the Li’s only L1 is non-zero on 1. So we have L(1)=c1⋅L1(1)=c1. Similarly, we get R(1)=c2 and O(1)=c4.

Therefore, P(1)=c1⋅c2−c4. A similar calculation shows P(2)=c4⋅(c1+c3)–c5.

In other words, P vanishes on the target points if and only if (c1,…,c5) is a legal assignment.

Now, we use the following algebraic fact: For a polynomial P and a point a∈Fp, we have P(a)=0 if and only if the polynomial X−a divides P, i.e. P=(X−a)⋅H for some polynomial H.

Defining the target polynomial T(X):=(X−1)⋅(X−2), we thus have that T divides P if and only if (c1,…,c5) is a legal assignment.

Following the above discussion, we define a QAP as follows:

A Quadratic Arithmetic Program Q of degree d and size m consists of polynomials L1,…,Lm, R1,…,Rm, O1,…,Om and a target polynomial T of degree d.

An assignment (c1,…,cm) satisfies Q if, defining
L:=∑(m,i=1) ci⋅Li
R:=∑(m,i=1) ci⋅Ri
O:=∑(m,i=1) ci⋅Oi
and
P:=L⋅R−O
we have that T divides P.

In this terminology, Alice wants to prove she knows an assignment (c1,…,c5) satisfying the QAP described above with c5=7.

L:=∑(m,i=1) ci⋅Li
R:=∑(m,i=1) ci⋅Ri
O:=∑(m,i=1) ci⋅Oi

P:=L⋅R−O

To summarize, we have seen how a statement such as “I know c1,c2,c3 such that (c1⋅c2)⋅(c1+c3)=7” can be translated into an equivalent statement about polynomials using QAPs. In the next part, we will see an efficient protocol for proving knowledge of a satisfying assignment to a QAP.

[1]In this post we tried to give the most concise example of a reduction to QAP; we also recommend Vitalik Buterin’s excellent post for more details on the transformation from a program to a QAP.

[1]在本篇博文中，我们尝试使用最简便的例子来还原 QAP；我们同样推荐 Vitalik Buterin 关于如何将程序转换到 QAP 的更多细节的精彩博文

### 推荐阅读更多精彩内容

• 定下一个小目标，然后在被虐中成长。 ——2017.10.18 20:41 手游 2016.03.25 《影之刃...
觅食先生阅读 105评论 0 0
• 【小鱼爱笑】D4 《把时间当作朋友》20160927学而思：“知道why比知道how重要的多。”今天的状态不好，一...
小鱼爱笑阅读 59评论 0 0
• 文/艾娃微 1. 最近，《欢乐颂2》可以说是很火了。 身边的朋友、网络上的热文都在津津乐道五美的人生观、恋爱观、交...
艾娃微阅读 671评论 17 29
• 当我以傲人的姿态出现在他人眼前 又以傲人的态度掩盖自己的不足 最终 被人以傲人的权利抛弃始终 或许 这就是失败 最...
昵人阅读 54评论 0 2
• 正常的上班族来说，年是正式过完了。来到济宁舅舅家，生活一切恢复正常，下午全家人一起去看了电影，然后倩倩带我和小朋友...
孙瑞华阅读 42评论 0 0