Zksnarks笔记: from programe to QAP
源自: https://medium.com/@VitalikButerin/quadratic-arithmetic-programs-from-zero-to-hero-f6d558cea649
对于如下的程序,我们需要通过三步得到最终的QAP
- programe => gates
- gates => R1CS
- R1CS => QAP
def qeval(x):
y = x**3
return x + y + 5
1 Flattening program => gates
只包含两种形式 x = y 和 x = y (op) z (where op can be +, -, *, / and y and z can be variables, numbers or themselves sub-expressions)
// 每一行可以理解为1个Gate
sym_1 = x * x
y = sym_1 * x
sym_2 = y + x
~out = sym_2 + 5
2 Gates to R1CS
An R1CS is a sequence of groups of three vectors (a, b, c), and the solution to an R1CS is a vector s, where s must satisfy the equation s . a * s . b - s . c = 0
The length of each vector is equal to the total number of variables in the system
上面的例子中, 有6个变量 '~one', 'x', '~out', 'sym_1', 'y', 'sym_2'(~one和~out是必须的), 因此向量的长度为6
第一个gate对应的 (a,b,c)为
a = [0, 1, 0, 0, 0, 0] // x
b = [0, 1, 0, 0, 0, 0] // x
c = [0, 0, 0, 1, 0, 0] // sym_1
第二个gate对应的 (a,b,c) 为
a = [0, 0, 0, 1, 0, 0] // sym_1
b = [0, 1, 0, 0, 0, 0] // x
c = [0, 0, 0, 0, 1, 0] // y
第三个gate对应的为
a = [0, 1, 0, 0, 1, 0] // y + x
b = [1, 0, 0, 0, 0, 0] // ~one
c = [0, 0, 0, 0, 0, 1] // sym_2
第四个gate对应的为
a = [5, 0, 0, 0, 0, 1] // 5 * ~one + sym_2
b = [1, 0, 0, 0, 0, 0] // ~one
c = [0, 0, 1, 0, 0, 0] // ~out
同时满足这四个gate的(a,b,c)的s . a * s . b - s . c = 0的解 s 为
[1, 3, 35, 9, 27, 30]
将所有的a, b, c放到一起
A
[0, 1, 0, 0, 0, 0]
[0, 0, 0, 1, 0, 0]
[0, 1, 0, 0, 1, 0]
[5, 0, 0, 0, 0, 1]
B
[0, 1, 0, 0, 0, 0]
[0, 1, 0, 0, 0, 0]
[1, 0, 0, 0, 0, 0]
[1, 0, 0, 0, 0, 0]
C
[0, 0, 0, 1, 0, 0]
[0, 0, 0, 0, 1, 0]
[0, 0, 0, 0, 0, 1]
[0, 0, 1, 0, 0, 0]
3 R1CS to QAP
QAP form: implements the exact same logic except using polynomials instead of dot products
多项式的阶取决于有多少gate, 这里有4个gate, 所以为3阶
A polynomials
[-5.0, 9.166, -5.0, 0.833] // 0.833 * x**3 — 5*x**2 + 9.166*x - 5, 经过(1,0) (2,0) (3,0) (4,5)这几个点
[8.0, -11.333, 5.0, -0.666] // 经过点 (1,1) (2,0) (3,1) (4,0)
[0.0, 0.0, 0.0, 0.0] // 经过点(1,0) (2,0) (3,0) (4,0) , 上面A的第三列
[-6.0, 9.5, -4.0, 0.5]
[4.0, -7.0, 3.5, -0.5]
[-1.0, 1.833, -1.0, 0.166] // 经过点 (1,0) (2,0) (3,0) (4,1), 上面A的第6列
B polynomials
[3.0, -5.166, 2.5, -0.333]
[-2.0, 5.166, -2.5, 0.333]
[0.0, 0.0, 0.0, 0.0]
[0.0, 0.0, 0.0, 0.0]
[0.0, 0.0, 0.0, 0.0]
[0.0, 0.0, 0.0, 0.0]
C polynomials
[0.0, 0.0, 0.0, 0.0]
[0.0, 0.0, 0.0, 0.0]
[-1.0, 1.833, -1.0, 0.166]
[4.0, -4.333, 1.5, -0.166]
[-6.0, 9.5, -4.0, 0.5]
[4.0, -7.0, 3.5, -0.5]
为什么要转成QAP?
instead of checking the constraints in the R1CS individually, we can now check all of the constraints at the same time by doing the dot product check on the polynomials.
A(x) = A . s = [43.0, -73.333, 38.5, -5.166]
B(x) = B . s = [-3.0, 10.333, -5.0, 0.666]
C(x) = C . s = [-41.0, 71.666, -24.5, 2.833]
A . s * B . s — C . s:
t = [-88.0, 592.666, -1063.777, 805.833, -294.777, 51.5, -3.444]
Z = (x - 1) * (x - 2) * (x - 3) * (x - 4) (因为有4个gate)
Z = [24, -50, 35, -10, 1]
h = t / Z = [-3.666, 17.055, -3.444] // 因为t(1),t(2),t(3),t(4)都为0, 所以t(x)能够整除Z(x)
我们现在不用分别计算t(1), t(2), t(3), t(4)是否为0, 转而判断t(x)能否整除Z(x)
回顾:我们将R1CS的
s . a * s . b - s . c = 0的验证 转化为 判断QAP的t(x)在对应取值处(这里为1,2,3,4)是否为0, 然后再转化为t(x)能否整除Z(x)
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 地球OL攻略 —— 某应届生求职总结
· 周边上新:园子的第一款马克杯温暖上架
· Open-Sora 2.0 重磅开源!
· 提示词工程——AI应用必不可少的技术
· .NET周刊【3月第1期 2025-03-02】