原文出自：https://blog.z.cash/snark-explain5/
作者：Ariel Gabizon
譯者：Matter實驗室

In the three previous parts, we developed a certain machinery for dealing with polynomials. In this part, we show how to translate statements we would like to prove and verify to the language of polynomials. The idea of using polynomials in this way goes back to the groundbreaking work of Lund, Fortnow, Karloff and Nisan.

在之前的三篇文章中，我們開發了處理多項式的一個中心構件。 在本篇文章中，我們將展示如何將我們想要證明和驗證的狀態轉換成多項式語言。這種采用多項式的想法可以追溯到Lund,Fortnow,Karloff以及Nisan的開創性工作——交互式證明系統的代數方法。

In 2013, another breakthrough work of Gennaro, Gentry, Parno and Raykova defined an extremely useful translation of computations into polynomials called a Quadratic Arithmetic Program (QAP). QAPs have become the basis for modern zk-SNARK constructions, in particular those used by Zcash.

在2018年，另外一項突破性工作(Gennaro, Gentry, Parno 和 Raykova)定義了一個極為有用的將計算轉換為多項式的方法，被稱為二次算術程序(QAP)。QAPs 已經成為了當前zk-SNARK結構的基礎，尤其是其被Zcash使用了。

In this post we explain the translation into QAPs by example. Even when focusing on a small example rather than the general definition, it is unavoidable that it is a lot to digest at first, so be prepared for a certain mental effort :).

在本篇博文中，我們使用一個例子解釋了 QAPs 的轉換過程。即便關注與一個小例子而不是一般定義，也不可避免的需要先理解一些東西，所以在閱讀前請先做好腦力準備:)。

Suppose Alice wants to prove to Bob she knows c1,c2,c3∈Fp such that (c1?c2)?(c1+c3)=7. The first step is to present the expression computed from c1,c2,c3 as an arithmetic circuit.

假設 Alice 想要向 Bob 證明她知道 c1,c2,c3∈Fp 滿足(c1?c2)?(c1+c3)=7。第一步需要將從 c1,c2,c3 開始計算的表達式表示成一個數字電路。

ARITHMETIC CIRCUITS

數字電路

An arithmetic circuit consists of gates computing arithmetic operations like addition and multiplication, with wires connecting the gates. In our case, the circuit looks like this:

一個數字電路由多個通過使用線路鏈接的數字運算門組成，這些運算可以是加法和乘法。 在我們的例子中，電路的樣子如圖所示：

數字電路

The bottom wires are the input wires, and the top wire is the output wire giving the result of the circuit computation on the inputs.

在底部的線路是輸入線路，在頂部的線路是輸出線路，它給出輸入在電路上計算的結果。

As can be seen in the picture, we label the wires and gates of the circuit in a very particular way, that is needed for the next step of translating the circuit into a QAP:

1. When the same outgoing wire goes into more than one gate, we still think of it as one wire – like w1 in the example.

2. We assume multiplication gates have exactly two input wires, which we call the left wire and right wire.

3. We don’t label the wires going from an addition to multiplication gate, nor the addition gate; we think of the inputs of the addition gate as going directly into the multiplication gate. So in the example we think of w1 and w3 as both being right inputs of g2.

在圖中可以看出，我們使用一種特殊的方式為線路和環路的門添加了標簽，這些標簽在接下來轉換電路到QAP時有用:

1. 當相同的輸出節點輸出到不止一個門的時候，我們認為他是同一條，就像例子中的w1。

2. 我們假設乘法門有兩個輸入線，我們將其稱為左輸入線和右輸入線。

3. 我們不會標記從加法門到乘法門的線，也不會標記加法門；我們認為加法門的輸入直接進入到乘法門中。因此，在例子中，我們認為w1和w3都是g2的右輸入。

A legal assignment for the circuit, is an assignment of values to the labeled wires where the output value of each multiplication gate is indeed the product of the corresponding inputs.

針對電路的一個合法的賦值，是給被標記線的賦值，在這兒每個乘法門的輸出值確實是相應輸入的產物。

So for our circuit, a legal assignment is of the form: (c1,…,c5) where c4=c1?c2 and c5=c4?(c1+c3).

因此，對于我們的電路，一個合乎規范的賦值形式是：(c1,…,c5) 其中 c4=c1?c2 并且 c5=c4?(c1+c3) 。

In this terminology, what Alice wants to prove is that she knows a legal assignment (c1,…,c5) such that c5=7. The next step is to translate this statement into one about polynomials using QAPs.

在這樣的語句中，Alice想要證明的是她知道一個對(c1,…,c5)的合法的賦值，可以滿足c5=7。下一步是使用QAPs將這樣的語句翻譯成一個多項式。

REDUCTION TO A QAP

還原一個QAP

We associate each multiplication gate with a field element: g1 will be associated with 1∈Fp and g2 with 2∈Fp. We call the points {1,2} our target points. Now we need to define a set of “left wire polynomials” L1,…,L5, “right wire polynomials” R1,…,R5 and “output wire polynomials” O1,…,O5.

我們將每個乘法門與域元素聯系起來，g1將與1∈Fp聯系起來，g2 與 2∈Fp 聯系起來。我們稱點{1,2}為我們的目標點?，F在，我們需要定義 “左線多項式” L1,…,L5 集合, “右線多項式” R1,…,R5集合 以及 “輸出多項式” O1,…,O5集合。

The idea for the definition is that the polynomials will usually be zero on the target points, except the ones involved in the target point’s corresponding multiplication gate.

對于這些定義的想法是多項式在目標點的取值一般為零，除了目標點的涉及的乘法門所包含的那些多項式外。

Concretely, as w1,w2,w4 are, respectively, the left, right and output wire of g1; we define L1=R2=O4=2?X, as the polynomial 2?X is one on the point 1 corresponding to g1 and zero on the point 2 corresponding to g2.

具體來說，像w1,w2,w4各自是g1的左、右、和輸出線；我們定義L1=R2=O4=2?X，作為多項式2-X，根據g1，多項式在1點值是一，根據g2，多項式在2點值是零。

Note that w1 and w3 are both right inputs of g2. Therefore, we define similarly L4=R1=R3=O5=X?1 – as X?1 is one on the target point 2 corresponding to g2 and zero on the other target point.

注意到w1 和 w3都是g2的右輸入。因此我們同樣定義L4=R1=R3=O5=X?1——因為，根據g2，X-1在目標點2是一，而在另外一個點是零。

We set the rest of the polynomials to be the zero polynomial.

我們將其余的多項式都設置成零多項式。

Given fixed values (c1,…,c5) we use them as coefficients to define a left, right, and output “sum” polynomials. That is, we define

L:=∑(5,i=1) ci?Li
R:=∑(5,i=1) ci?Ri
O:=∑(5,i=1) ci?Oi

and then we define the polynomial P:=L?R?O.

給定 (c1,…,c5) 固定值，我們用他們作為一個系數來定義一個左、右和輸出的“和”多項式。也就是說，我們定義：

L:=∑(5,i=1) ci?Li
R:=∑(5,i=1) ci?Ri
O:=∑(5,i=1) ci?Oi

之后，我們再定義多項式 P:=L?R?O

Now, after all these definitions, the central point is this: (c1,…,c5) is a legal assignment to the circuit if and only if P vanishes on all the target points.

現在，在完成所有這些定義之后，關鍵點在于： (c1,…,c5) 是一個對于電路的合法賦值，當且僅當P在所有的目標點上取零。

Let’s examine this using our example. Suppose we defined L,R,O,P as above given some c1,…,c5. Let’s valuate all these polynomials at the target point 1:

讓我們使用例子來驗證一下。假設我們定義 L,R,O,P ，采用上述給出的c1,…,c5。讓我們在目標點1上計算所有的這些多項式：

Out of all the Li’s only L1 is non-zero on 1. So we have L(1)=c1?L1(1)=c1. Similarly, we get R(1)=c2 and O(1)=c4.

Therefore, P(1)=c1?c2?c4. A similar calculation shows P(2)=c4?(c1+c3)–c5.

在所有的Li中，只有L1在1點上是非零的。因此我們有L(1)=c1?L1(1)=c1。同樣，我們可以得到R(1)=c2 和 O(1)=c4。

因此，P(1)=c1?c2?c4。 一個類似的計算是： P(2)=c4?(c1+c3)–c5。

In other words, P vanishes on the target points if and only if (c1,…,c5) is a legal assignment.

也就是說，當且僅當 (c1,…,c5) 被合法賦值后，P 在目標點位的值為零。

Now, we use the following algebraic fact: For a polynomial P and a point a∈Fp, we have P(a)=0 if and only if the polynomial X?a divides P, i.e. P=(X?a)?H for some polynomial H.

現在，我們使用下面的代數事實：對于一個多項式 P 和一個點 a∈Fp，當且僅當多項式 X?a 可以整除 P 時，我們有 P(a)=0 ，比如 P=(X?a)?H ，H是一些多項式。

Defining the target polynomial T(X):=(X?1)?(X?2), we thus have that T divides P if and only if (c1,…,c5) is a legal assignment.

定義目標多項式 T(X):=(X?1)?(X?2)，當且僅當 (c1,…,c5) 是一個合法的賦值時，我們確信 T 能整除 P。

Following the above discussion, we define a QAP as follows:

A Quadratic Arithmetic Program Q of degree d and size m consists of polynomials L1,…,Lm, R1,…,Rm, O1,…,Om and a target polynomial T of degree d.

An assignment (c1,…,cm) satisfies Q if, defining
L:=∑(m,i=1) ci?Li
R:=∑(m,i=1) ci?Ri
O:=∑(m,i=1) ci?Oi
and
P:=L?R?O
we have that T divides P.

In this terminology, Alice wants to prove she knows an assignment (c1,…,c5) satisfying the QAP described above with c5=7.

根據上面的討論，我們對于 QAP 做出如下定義：

一個d階m大小的二次算術程序(QAP) Q，由多項式L1,…,Lm, R1,…,Rm, O1,…,Om 和 一個d階目標多項式 T 構成。

如果 (c1,…,cm) 的值滿足 Q，定義
L:=∑(m,i=1) ci?Li
R:=∑(m,i=1) ci?Ri
O:=∑(m,i=1) ci?Oi
和
P:=L?R?O
我們可以確定T可以整除P。

在這些語句中，Alice想要證明他知道一個限定c5=7的(c1,...,c5)的值滿足上述描述的QAP。

To summarize, we have seen how a statement such as “I know c1,c2,c3 such that (c1?c2)?(c1+c3)=7” can be translated into an equivalent statement about polynomials using QAPs. In the next part, we will see an efficient protocol for proving knowledge of a satisfying assignment to a QAP.

總之，我們已經看到，使用QAPs，像“我知道c1,c2,c3能滿足(c1?c2)?(c1+c3)=7”這樣的語句能被轉換成等價的多項式語句。在下一篇中，我們將看到一個高效率的QAP協議，這個協議可以證明滿足條件的知識。

[1]In this post we tried to give the most concise example of a reduction to QAP; we also recommend Vitalik Buterin’s excellent post for more details on the transformation from a program to a QAP.

[1]在本篇博文中，我們嘗試使用最簡便的例子來還原 QAP；我們同樣推薦 Vitalik Buterin 關于如何將程序轉換到 QAP 的更多細節的精彩博文

譯者總結

數學關系