The R1CS & QAP Blueprint for zk-SNARKs | From Zero to Deku

November 12th, 2024

This beginner friendly article is an extended version of Vitalik’s article on Quadratic Arithmetic Programs. We will provide a deeper technical dive on how to transition from a Problem to R1CS and from R1CS to QAP.

As mentioned by Vitalik, “zk-SNARKs cannot be applied to any computational problem directly; rather, you have to convert the problem into the right “form” for the problem to operate on. The form is called a “quadratic arithmetic program” (QAP)”

Along with the process for converting the code of a function into a QAP is another process that can be run alongside so that if you have an input to the code you can create a corresponding solution (sometimes called “witness” to the QAP).

After this, there is another fairly intricate process for creating the actual “zero knowledge proof” for this witness, and a separate process for verifying a proof that someone else passes along to you, but these are details that are out of scope for this post.

Introduction

We will use the same example as Vitalik because it is simple enough that the resulting QAP will not be so large as to be intimidating, but nontrivial enough that you can see all of the machinery come into play. Our goal is to prove that we know the solution to a cubic equation :

x^3 + x + 5 = 35

As you can see, the solution for this is $x=3$ . The Prover must thus show to Verifier that he knows the solution, without giving away the value 3.

To keep things simple, we will use a Galois Field (or finite field) of GF(641) which is a prime number.

If you’re not familiar with Modular Arithmetic, I recommend reading the Finite Fields and Modular Arithmetic for ZK Proofs chapter from Rareskills Zero Knowledge book before proceeding an further.

Problem Statement to R1CS

Definition of R1CS

Rank-1 Constraint System (R1CS) is a way to represent complex mathematical statements as a series of equations that a computer can verify efficiently. In essence, R1CS allows us to break down a problem into simple constraints that verify if a solution is valid. This let’s us easily prove to the Verifier that the Prover does really know a proper witness $w$ (solution) for a specific problem or in this case a cubic equation.

Step 1: Flattening

We have a function $x^3 + x +5 = 35$ , we want to simplify it into multiple small functions called constraints which take the form of $x = y \space (op) \space z$ where $(op)$ can be any arithmetic operation $(+, -, \times, /)$ .

\begin{align*} a &= x \times x \quad & x^2 \\ b &= a \times x \quad & x^3 \\ c &= b + x \quad & x^3 + x \\ d &= c + 5 \quad & x^3 + x + 5 \end{align*}

We have 4 gates because in every line $a, b, c$ and $d$ we have one arithmetic operations. Since $a$ and $b$ both have multiplication, we’ll need two multiplication gates:Gate#1 and Gate#2. Similarly, since $c$ and $d$ both have addition, we’ll also need two addition gates: Gate#3 and Gate#4.

Step 2: Gates to R1CS

Next, we will need to convert the previous statements into the R1CS (Rank-1 Constrain System) format, and which defines three vectors: A, B and C. The solution to this is a vector $(S)$ that must satisfy the equation below.

(A.S) \times (B.S) - (C.S) = 0

. represents the dot product which is a mathematical operation that takes two vectors and returns a single number (a scalar) so it’s not multiplication.

The length of each vector is equal to the total number of variables in the system, including a dummy variable one at the first index representing the number 1 which allows all constraints to be written in a constant form, the input variable x, a dummy variable d representing the output, and then all of the intermediate variablesa, b and c. So we will use this layout to display the variables:

S=[1,x,a,b,c,d]

Other articles might use a different layout like the one below. They are all the same, they all serve the same purpose. You can structure your layout depending on your own needs.

S=[1,d,x,a,b,c,d,1]

In this case, the Prover proves that he knows a solution that satisfies the equation $(x^3 + x +5 = 35)$ by producing a vector S which is the witness $w$ for $x = 3$ :

\begin{align*} S = \text{witness} = [1, x, (x \times x), (x^2 \times x), (x^3 + x), (x^3 + x + 5)] \\ S = \text{witness} = [1, 3, (3 \times 3), (9 \times 3), (27 + 3), (27 + 3 + 5)] \\ S = \text{witness} = [1, 3, 9, 27, 30, 35] \end{align*}

For the First Constraint:

By applying $x= 3$ on our first constraint $a =x \times x$ , we will get:

\begin{align*} A = [0,1,0,0,0,0] \\ B = [0,1,0,0,0,0] \\ C = [0,0,1,0,0,0] \end{align*}

So for $x = 3$ , $a= x \times x$ will be represented as $9 =3 \times 3$ or $3 \times 3 -9 = 0$ . The first $x$ which is 3 will be in the second index of the vector A because the second index in $S = [1,3,9,27,30,35]$ is 3. The second $x$ which is also 3 will also be in the second index of vector B. This leaves us with 9 which will be in the third index of vectorC.

So the function $(A.S) \times (B.S) - (C.S) = 0$ for $x = 3$ will look like this in vector form :

{ \small \begin{pmatrix} 0 & 1 & 0 & 0 & 0 & 0 \\ \end{pmatrix} \begin{pmatrix} S \\ \end{pmatrix} \times \begin{pmatrix} 0 & 1 & 0 & 0 & 0 & 0 \\ \end{pmatrix} \begin{pmatrix} S \\ \end{pmatrix} - \begin{pmatrix} 0 & 0 & 1 & 0 & 0 & 0 \\ \end{pmatrix} \begin{pmatrix} S \\ \end{pmatrix} = \begin{pmatrix} 0 \end{pmatrix} }

For the Second Constraint:

Similarly to the first constraint, by applying $x=3$ on our second constraint $b = a \times x$ , we will get:

\begin{align*} A = [0,0,1,0,0,0] \\ B = [0,1,0,0,0,0] \\ C = [0,0,0,1,0,0] \end{align*}

In simple terms, for $x =3$ , the second constraint will become $27 = 9 \times 3$ or $9 \times 3 -27 = 0$ . 9 is the third index in vector $A$ , 3 is the second index in vector $B$ and 27 is the fourth index in vector $c$ . Remember these vectors are made this way because of the structure of our layout for vector S :

S = [1, 3, 9, 27, 30, 35]

So the function $(A.S) \times (B.S) - (C.S) = 0$ for $x = 3$ will look like this in vector form :

{ \small \begin{pmatrix} 0 & 0 & 1 & 0 & 0 & 0 \\ \end{pmatrix} \begin{pmatrix} S \\ \end{pmatrix} \times \begin{pmatrix} 0 & 1 & 0 & 0 & 0 & 0 \\ \end{pmatrix} \begin{pmatrix} S \\ \end{pmatrix} - \begin{pmatrix} 0 & 0 & 0 & 1 & 0 & 0 \\ \end{pmatrix} \begin{pmatrix} S \\ \end{pmatrix} = \begin{pmatrix} 0 \end{pmatrix} }

For the Third Constraint:

By applying $x = 3$ on our third constraint $c = b + x$ or $c = (b + x) \times 1$ , we will get:

\begin{align*} A = [0,1,0,1,0,0] \\ B = [1,0,0,0,0,0] \\ C = [0,0,0,0,1,0] \end{align*}

The third constraint will become $30 = (27 + 3) \times 1$ or $(27 + 3) \times 1 - 30 =0$ .

27 is the fourth index in vector A and 3 is the second index in vector A. 1 is the first index in vector B and 30 is the fifth index in vector C.

{ \small \begin{pmatrix} 0 & 1 & 0 & 1 & 0 & 0 \\ \end{pmatrix} \begin{pmatrix} S \\ \end{pmatrix} \times \begin{pmatrix} 1 & 0 & 0 & 0 & 0 & 0 \\ \end{pmatrix} \begin{pmatrix} S \\ \end{pmatrix} - \begin{pmatrix} 0 & 0 & 0 & 0 & 1 & 0 \\ \end{pmatrix} \begin{pmatrix} S \\ \end{pmatrix} = \begin{pmatrix} 0 \end{pmatrix} }

So vector $A$ is $3 + 27$ , vector $b$ is $1$ and vector $C$ is $30$ . Thus, $27 +3 - 30 = 0$ .

For the Fourth Constraint:

By applying $x = 3$ on our third constraint $d = c + 5$ or $d = (c+5) \times 1$ , we will get:

\begin{align*} A = [5,0,0,0,1,0] \\ B = [1,0,0,0,0,0] \\ C = [0,0,0,0,0,1] \end{align*}

{ \small \begin{pmatrix} 5 & 0 & 0 & 0 & 1 & 0 \\ \end{pmatrix} \begin{pmatrix} S \\ \end{pmatrix} \times \begin{pmatrix} 1 & 0 & 0 & 0 & 0 & 0 \\ \end{pmatrix} \begin{pmatrix} S \\ \end{pmatrix} - \begin{pmatrix} 0 & 0 & 0 & 0 & 0 & 1 \\ \end{pmatrix} \begin{pmatrix} S \\ \end{pmatrix} = \begin{pmatrix} 0 \end{pmatrix} }

We have 5 as the first index in vector A and $c=30$ as the fifth index in vector A. 1 is the first index in vector B and d = 35 is the last index in vector C.

After adding the vector A of all the constraints from 1 to 4 into a single vector A and doing the same thing for vector B and C, we will get the complete R1CS or final vector form of $(A.S) \times (B.S) - (C.S) = 0$ for $x =3$ :

{\small {\begin{pmatrix} 0 & 1 & 0 & 0 & 0 & 0 \\ 0 & 0 & 1 & 0 & 0 & 0 \\ 0 & 1 & 0 & 1 & 0 & 0 \\ 5 & 0 & 0 & 0 & 1 & 0 \\ \end{pmatrix}} \begin{pmatrix} S \end{pmatrix} \times {\begin{pmatrix} 0 & 1 & 0 & 0 & 0 & 0 \\ 0 & 1 & 0 & 0 & 0 & 0 \\ 1 & 0 & 0 & 0 & 0 & 0 \\ 1 & 0 & 0 & 0 & 0 & 0 \\ \end{pmatrix}} \begin{pmatrix} S \end{pmatrix} - {\begin{pmatrix} 0 & 0 & 1 & 0 & 0 & 0 \\ 0 & 0 & 0 & 1 & 0 & 0 \\ 0 & 0 & 0 & 0 & 1 & 0 \\ 0 & 0 & 0 & 0 & 0 & 1 \\ \end{pmatrix}} \begin{pmatrix} S \end{pmatrix} = \begin{pmatrix} 0 \\ 0 \\ 0 \\ 0 \end{pmatrix} }

Now let’s do the dot product of vector A,B and C with vector S but only for the first row of each vector to check if our calculations are correct.

For Vector A :

{\begin{pmatrix} \textcolor{lightblue}{0} & \textcolor{lightblue}{1} & \textcolor{lightblue}{0} & \textcolor{lightblue}{0} & \textcolor{lightblue}{0} & \textcolor{lightblue}{0} \\ 0 & 0 & 1 & 0 & 0 & 0 \\ 0 & 1 & 0 & 1 & 0 & 0 \\ 5 & 0 & 0 & 0 & 1 & 0 \\ \end{pmatrix}} \begin{pmatrix} \textcolor{lightblue}{1} \\ \textcolor{lightblue}{3} \\ \textcolor{lightblue}{9} \\ \textcolor{lightblue}{27} \\ \textcolor{lightblue}{30} \\ \textcolor{lightblue}{35} \end{pmatrix} = 3

(0 \times 1) + (1 \times 3) + (0 \times 9) + (0 \times 27) + (0 \times 30) + (0 \times 35) = 3

For Vector B :

{\begin{pmatrix} \textcolor{lightblue}{0} & \textcolor{lightblue}{1} & \textcolor{lightblue}{0} & \textcolor{lightblue}{0} & \textcolor{lightblue}{0} & \textcolor{lightblue}{0} \\ 0 & 1 & 0 & 0 & 0 & 0 \\ 1 & 0 & 0 & 0 & 0 & 0 \\ 1 & 0 & 0 & 0 & 0 & 0 \\ \end{pmatrix}} \begin{pmatrix} \textcolor{lightblue}{1} \\ \textcolor{lightblue}{3} \\ \textcolor{lightblue}{9} \\ \textcolor{lightblue}{27} \\ \textcolor{lightblue}{30} \\ \textcolor{lightblue}{35} \end{pmatrix} = 3

(0 \times 1) + (1 \times 3) + (0 \times 9) + (0 \times 27) + (0 \times 30) + (0 \times 35) = 3

For Vector C :

{\begin{pmatrix} \textcolor{lightblue}{0} & \textcolor{lightblue}{0} & \textcolor{lightblue}{1} & \textcolor{lightblue}{0} & \textcolor{lightblue}{0} & \textcolor{lightblue}{0} \\ 0 & 0 & 0 & 1 & 0 & 0 \\ 0 & 0 & 0 & 0 & 1 & 0 \\ 0 & 0 & 0 & 0 & 0 & 1 \\ \end{pmatrix}} \begin{pmatrix} \textcolor{lightblue}{1} \\ \textcolor{lightblue}{3} \\ \textcolor{lightblue}{9} \\ \textcolor{lightblue}{27} \\ \textcolor{lightblue}{30} \\ \textcolor{lightblue}{35} \end{pmatrix} = 9

(0 \times 1) + (0 \times 3) + (1 \times 9) + (0 \times 27) + (0 \times 30) + (0 \times 35) = 9

Final Equation :

(A.S) \times (B.S) - (C.S) = 3 \times 3 - 9 = 0

The Prover has provided the correct first part of the proof. We can then got through the other 3 rows for each vector A, B and C to find that the results will be zero but we won’t do it because you got the point. You can try it yourself and see that for every line $A \times B - C$ will always be zero. The Prover has thus proven that he knows the solution of the cubic equation. If you’re too lazy here’s the answers :

\begin{align*} 3 \times 3 - 9 = 0 \\ 9 \times 3 - 27 = 0 \\ (3+27) \times 1 - 30 = 0\\ (5+30) \times 1 - 35 = 0 \\ \end{align*}

To not create any confusion later we will refer to $(A.S) \times (B.S) - (C.S) = 0$ as

$(A’.S) \times (B’.S) - (C’.S) = 0$ . A will be called A’, B’ for B and C’ for C.

R1CS to QAP

The next step is taking this R1CS and converting it into QAP form, which implements the exact same logic except using polynomials instead of dot products. We go from four groups of three vectors of length six to six groups of three degree-3 polynomials, where evaluating the polynomials at each x coordinate represents one of the constraints. That is, if we evaluate the polynomials at $x=1$ , then we get our first set of vectors, if we evaluate the polynomials at $x=2$ , then we get our second set of vectors, and so on.

We can make this transformation using something called a Lagrange interpolation. The problem that a Lagrange interpolation solves is this: if you have a set of points (i.e. (x, y) coordinate pairs), then doing a Lagrange interpolation on those points gives you a polynomial that passes through all of those points.

What we are going to do is take the first value out of every A’ vector, use Lagrange interpolation to make a polynomial out of that (where evaluating the polynomial at i gets you the first value of the ith A’ vector), repeat the process for the first value of every B’ and C’ vector, and then repeat that process for the second values, the third values, and so on.

Step 1

Since we have 4 constraints, we will choose values for $x$ such that $x \in [ 1,2,3,4 ]$ .

We’re gonna have 6 polynomials against 6 variables and A’,B’,C’ are going to be these polynomials. Don’t worry if you didn’t understand this, we’ll explain everything.

We’re gonna evaluate each vector A,B and C for every value of $x \in [ 1,2,3,4 ]$ at every constraint.

First constraint

Remember vector A, B and C for the first constraint :

\begin{align*} A = [0,\textcolor{lightblue}{1},0,0,0,0] \\ B = [0,\textcolor{lightblue}{1},0,0,0,0] \\ C = [0,0,\textcolor{lightblue}{1},0,0,0] \end{align*}

We evaluate A, B and C for $x = 1$ :

\begin{align*} A_1(1) = 0 \hspace{1 cm} B_1(1) = 0 \hspace{1 cm} C_1(1) = 0 \\ A_2(1) = \textcolor{lightblue}{1} \hspace{1 cm} B_2(1) = \textcolor{lightblue}{1} \hspace{1 cm} C_2(1) = 0 \\ A_3(1) = 0 \hspace{1 cm} B_3(1) = 0 \hspace{1 cm} C_3(1) = \textcolor{lightblue}{1} \\ A_4(1) = 0 \hspace{1 cm} B_4(1) = 0 \hspace{1 cm} C_4(1) = 0 \\ A_5(1) = 0 \hspace{1 cm} B_5(1) = 0 \hspace{1 cm} C_5(1) = 0 \\ A_6(1) = 0 \hspace{1 cm} B_6(1) = 0 \hspace{1 cm} C_6(1) = 0 \end{align*}

Second Constraint

\begin{align*} A = [0,0,\textcolor{lightblue}{1},0,0,0] \\ B = [0,\textcolor{lightblue}{1},0,0,0,0] \\ C = [0,0,0,\textcolor{lightblue}{1},0,0] \end{align*}

We evaluate A, B and C for $x = 2$ :

\begin{align*} A_1(2) = 0 \hspace{1 cm} B_1(2) = 0 \hspace{1 cm} C_1(2) = 0 \\ A_2(2) = 0 \hspace{1 cm} B_2(2) = \textcolor{lightblue}{1} \hspace{1 cm} C_2(2) = 0 \\ A_3(2) = \textcolor{lightblue}{1} \hspace{1 cm} B_3(2) = 0 \hspace{1 cm} C_3(2) = 0 \\ A_4(2) = 0 \hspace{1 cm} B_4(2) = 0 \hspace{1 cm} C_4(2) = \textcolor{lightblue}{1} \\ A_5(2) = 0 \hspace{1 cm} B_5(2) = 0 \hspace{1 cm} C_5(2) = 0 \\ A_6(2) = 0 \hspace{1 cm} B_6(2) = 0 \hspace{1 cm} C_6(2) = 0 \end{align*}

Third Constraint

\begin{align*} A = [0,\textcolor{lightblue}{1},0,\textcolor{lightblue}{1},0,0] \\ B = [\textcolor{lightblue}{1},0,0,0,0,0] \\ C = [0,0,0,0,\textcolor{lightblue}{1},0] \end{align*}

We evaluate A, B and C for $x = 3$ :

\begin{align*} A_1(3) = 0 \hspace{1 cm} B_1(3) = \textcolor{lightblue}{1} \hspace{1 cm} C_1(3) = 0 \\ A_2(3) = \textcolor{lightblue}{1} \hspace{1 cm} B_2(3) = 0 \hspace{1 cm} C_2(3) = 0 \\ A_3(3) = 0 \hspace{1 cm} B_3(3) = 0 \hspace{1 cm} C_3(3) = 0 \\ A_4(3) = \textcolor{lightblue}{1} \hspace{1 cm} B_4(3) = 0 \hspace{1 cm} C_4(3) = 0 \\ A_5(3) = 0 \hspace{1 cm} B_5(3) = 0 \hspace{1 cm} C_5(3) = \textcolor{lightblue}{1} \\ A_6(3) = 0 \hspace{1 cm} B_6(3) = 0 \hspace{1 cm} C_6(3) = 0 \end{align*}

Fourth Constraint

\begin{align*} A = [\textcolor{lightblue}{5},0,0,0,\textcolor{lightblue}{1},0] \\ B = [\textcolor{lightblue}{1},0,0,0,0,0] \\ C = [0,0,0,0,0,\textcolor{lightblue}{1}] \end{align*}

We evaluate A, B and C for $x = 4$ :

\begin{align*} A_1(4) = \textcolor{lightblue}{5} \hspace{1 cm} B_1(4) = \textcolor{lightblue}{1} \hspace{1 cm} C_1(4) = 0 \\ A_2(4) = 0 \hspace{1 cm} B_2(4) = 0 \hspace{1 cm} C_2(4) = 0 \\ A_3(4) = 0 \hspace{1 cm} B_3(4) = 0 \hspace{1 cm} C_3(4) = 0 \\ A_4(4) = 0 \hspace{1 cm} B_4(4) = 0 \hspace{1 cm} C_4(4) = 0 \\ A_5(4) = \textcolor{lightblue}{1} \hspace{1 cm} B_5(4) = 0 \hspace{1 cm} C_5(4) = 0 \\ A_6(4) = 0 \hspace{1 cm} B_6(4) = 0 \hspace{1 cm} C_6(4) = \textcolor{lightblue}{1} \end{align*}

Step 2

We can see $A_1(x), …, A_6(x)$ , $B_1(x), …, B_6(x)$ and $C_1(x), …, C_6(x)$ at every point $x$ from 1 to 4. We will display them in the format below :

\begin{align*} A_1(1) = 0 \hspace{1 cm} B_1(1) = 0 \hspace{1 cm} C_1(1) = 0 \\ A_1(2) = 0 \hspace{1 cm} B_1(2) = 0 \hspace{1 cm} C_1(2) = 0 \\ A_1(3) = 0 \hspace{1 cm} B_1(3) = 1 \hspace{1 cm} C_1(3) = 0 \\ A_1(4) = 5 \hspace{1 cm} B_1(4) = 1 \hspace{1 cm} C_1(4) = 0 \\ \hspace{0.5 cm}... \hspace{2.5 cm} ... \hspace{2.5 cm} ...\\ A_6(1) = 0 \hspace{1 cm} B_6(1) = 0 \hspace{1 cm} C_6(1) = 0 \\ A_6(2) = 0 \hspace{1 cm} B_6(2) = 0 \hspace{1 cm} C_6(2) = 0 \end{align*}

We have only a single polynomial of degree 3 that passes through $A_1(1)$ to $A_1(4)$ . The polynomial will intersect the $x-axis$ at $x = 1, 2 \space \text{and} \space 3$ since the result for each one of them is 0 $(A_1(1) = 0, A_1(2) = 0, A_1(3) = 0)$ and will hit the line $y = 5$ for $x = 4$ .

Or we can also take the $y-coordinates$ in the first column in $(A’.S) \times (B’.S) - (C’.S) = 0$ for $x \in [1,2,3,4]$ resulting to 4 points $(1,0), (2,0), (3,0), (4,5)$ :

{\small {\begin{pmatrix} \textcolor{orange}{0} & 1 & 0 & 0 & 0 & 0 \\ \textcolor{orange}{0} & 0 & 1 & 0 & 0 & 0 \\ \textcolor{orange}{0} & 1 & 0 & 1 & 0 & 0 \\ \textcolor{orange}{5} & 0 & 0 & 0 & 1 & 0 \\ \end{pmatrix}} \begin{pmatrix} S \end{pmatrix} \times {\begin{pmatrix} 0 & 1 & 0 & 0 & 0 & 0 \\ 0 & 1 & 0 & 0 & 0 & 0 \\ 1 & 0 & 0 & 0 & 0 & 0 \\ 1 & 0 & 0 & 0 & 0 & 0 \\ \end{pmatrix}} \begin{pmatrix} S \end{pmatrix} - {\begin{pmatrix} 0 & 0 & 1 & 0 & 0 & 0 \\ 0 & 0 & 0 & 1 & 0 & 0 \\ 0 & 0 & 0 & 0 & 1 & 0 \\ 0 & 0 & 0 & 0 & 0 & 1 \\ \end{pmatrix}} \begin{pmatrix} S \end{pmatrix} = \begin{pmatrix} 0 \\ 0 \\ 0 \\ 0 \end{pmatrix} }

This is an arbitrary interpretation which we use to convert the R1CS into the QAP form. We could have as well used $[5,7,9,11]$ instead of $[1,2,3,4]$ as long as we are consistent across all equations.

The number of polynomials & their degree would depend on the length of the solution vector & the number of gates.

The solution vector S contains 6 elements $[1, 3, 9, 27, 30, 35]$ , so we can construct 6 polynomials per vector. Each gate contributes 1 point to each polynomial. We have 4 gates here meaning we get 4 points per polynomial. 4 points allows us to define a polynomial of maximum degree 3. So we can construct 6 polynomials each with a maximum degree of 3.

A visual representation of the points for each polynomial of vector A’ will look like :

\begin{align*} \textcolor{orange}{(}A_1(1),..., A_1(4)\textcolor{orange}{)}, \textcolor{orange}{(}A_2(1),..., A_2(4)\textcolor{orange}{)}, \textcolor{orange}{(}A_3(1),..., A_3(4)\textcolor{orange}{)}, \\ \textcolor{orange}{(}A_4(1),..., A_4(4)\textcolor{orange}{)}, \textcolor{orange}{(}A_5(1),..., A_5(4)\textcolor{orange}{)}, \textcolor{orange}{(}A_6(1),..., A_6(4)\textcolor{orange}{)} \end{align*}

So in total we have 3 vectors A’, B’ and C’ with 6 polynomials each, resulting in 18 polynomials.

We can find the polynomial passing through these 4 points using Lagrange Interpolation. We will only demonstrate for only the first polynomial and give you the result for all 18 polynomials. You can do the other ones by yourselves and compare your answers.

Lagrange Interpolation

To construct the Lagrange interpolation polynomial for the points $(1,0),(2,0),(3,0),(4,5)$ over a finite field with $GF(641)$ , we’ll use the following approach.

Given points $(x_1 ,y_1 ),(x_2 ,y_2 ), …, (x_n ,y_n )$ , the Lagrange polynomial $L(x)$ is constructed as:

L(x) = \sum^n_{i=1} y_i ⋅ l_i(x)

where each $l_i(x)$ is the Lagrange basis polynomial for point $(x_i, y_i)$ , defined by:

l_i(x) = \Pi_{j \neq i} \frac{x-x_j}{x_i - x_j} \space (mod \space 641)

In this case :

The points are :
- $( 𝑥_1 , 𝑦_1 ) = ( 1 , 0 )$
- $( 𝑥_2 , 𝑦_2 ) = ( 2 , 0 )$
- $( 𝑥_3 , 𝑦_3 ) = ( 3 , 0 )$
- $( 𝑥_4 , 𝑦_4 ) = ( 4 , 5 )$
Field $GF(641)$

Since $𝑦_1 =y_2 =y_3 =0$ , only $𝑦_4 = 5$ contributes to the polynomial, so we need only compute $l_4 ( 𝑥 )$ .

Step-by-Step Calculation of $l_4 ( 𝑥 )$ :

l_4(x)= \frac{(x-x_1)(x-x_2)(x-x_3)}{(x_4-x_1)(x_4-x_2)(x_4-x_3)} \space (mod \space 641)

Substitute $𝑥_1=1, 𝑥_2 =2, 𝑥_3=3$ , and $𝑥_4=4$ :

Calculate the denominator :
$(4−1)(4−2)(4−3)=3⋅2⋅1=6$
Inverse of $6 \space mod \space 641$ is $107$ , since $6 \times 107 \equiv 1 \space (mod \space 641)$ .
Compute $l_4 ( 𝑥 )$ :
$l_4(x) = 107 ⋅(x−1)(x−2)(x−3) \space (mod \space 641)$
Expand $(x-1)(x-2)(x-3)$ :

Expanding this product :
$(x−1)(x−2)=x^2−3x+2$

(x^2−3x+2)(x−3) = x^3−3x^2 −3x^2+9x+2x−6 = x^3 −6x^2+11x−6

Substitute into $l_4(x)$ :

l_4(x)= 107(x^3−6x^2+11x−6)=107x^3 - 642x^2 + 1177x - 642 \space (mod \space 10)

Final Polynomial $L(x)$ :

\begin{align*} L(x) &= y_4 \times l_4(x)=5 \times(107x^3 - 642x^2 + 1177x - 642 ) \space (mod \space 641) \\ L(x) &= (535x^3 - 3210x^2 + 5885x - 3210) \space (mod \space 641) \end{align*}

So the polynomial corresponding to the first Column of vector A’ is :

L(x)=535x^3+ 636x^2+ 116x+ 636

Since we didn’t calculated $𝑦_1, y_2, y_3$ , you can ask chatgpt to calculate $y_1, y_2, y_3, y_4$ and generate the final polynomial if you have more than one point with coordinates other than 0.

Below are all coefficients of all 18 polynomials that we applied a finite field 641 to :

Polynomials of vector A’ : We’ll call the new vector, vector A’’.

{\begin{pmatrix} 636 & 116 & 636 & 535 \\ 213 & 5 & 416 & 8 \\ 635 & 330 & 637 & 321 \\ 4 & 634 & 324 & 320 \\ 640 & 536 & 640 & 107 \\ 0 & 0 & 0 & 0 \\ \end{pmatrix}}

You can see the polynomial we got from the first column i.e. $(535x^3+ 636x^2+ 116x+ 636$ ) appear in first row of vector A’’. The Row is to be interpreted in reverse order - i.e. $[4, 2, 3, 7]$ .

I’m going to re-explain what happened so we won’t get confused later. We applied Lagrange interpolation to the first column of vector A’ and we got the first row of vector A’’ but in reverse.

{ \small {\begin{pmatrix} \textcolor{orange}{0} & 1 & 0 & 0 & 0 & 0 \\ \textcolor{orange}{0} & 0 & 1 & 0 & 0 & 0 \\ \textcolor{orange}{0} & 1 & 0 & 1 & 0 & 0 \\ \textcolor{orange}{5} & 0 & 0 & 0 & 1 & 0 \\ \end{pmatrix}} \longrightarrow {\begin{pmatrix} \textcolor{orange}{636} & \textcolor{orange}{116} & \textcolor{orange}{636} & \textcolor{orange}{535} \\ 8 & 416 & 5 & 213 \\ 635 & 330 & 637 & 321 \\ 4 & 634 & 324 & 320 \\ 640 & 536 & 640 & 107 \\ 0 & 0 & 0 & 0 \\ \end{pmatrix}} }

Polynomials of vector B’ : We’ll call the new vector, vector B’’.

{\begin{pmatrix} 3 & 529 & 323 & 427 \\ 639 & 112 & 318 & 214 \\ 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 \\ \end{pmatrix}}

Polynomials of vector C’ : We’ll call the new vector, vector C’’.

{\begin{pmatrix} 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 \\ 4 & 423 & 322 & 534 \\ 635 & 330 & 637 & 321 \\ 4 & 634 & 324 & 320 \\ 640 & 536 & 640 & 107 \\ \end{pmatrix}}

This finishes the transformation of the problem to the QAP Form.

What do we achieve by converting it into the QAP form? Instead of checking the constraints in the R1CS individually, we can now check all of the constraints at the same time by doing the dot product check on the polynomials.

Our solution S has 6 elements $[1, 3, 9, 27, 30, 35]$ . we can do a dot product of $(S.A'')$ whose output again will be a polynomial. Likewise for the other 2 polynomial matrices.

For vector A’’ :

{\begin{pmatrix} \textcolor{orange}{636} & \textcolor{orange}{116} & \textcolor{orange}{636} & \textcolor{orange}{535} \\ 8 & 416 & 5 & & 213 \\ 635 & 330 & 637 & 321 \\ 4 & 634 & 324 & 320 \\ 640 & 536 & 640 & 107 \\ 0 & 0 & 0 & 0 \\ \end{pmatrix}} \begin{pmatrix} \textcolor{orange}{1} \\ \textcolor{orange}{3} \\ \textcolor{orange}{9} \\ \textcolor{orange}{27} \\ \textcolor{orange}{30} \\ \textcolor{orange}{35} \end{pmatrix} = ...

We know the dot product is done by multiplying all the values of each row at a time in A’’ with vector S. Like this for the first row:

(636 \times 1) + (116 \times 3) + (636 \times 9) + (535 \times 27) + (0 \times 30) + (0 \times 35) = ...

This approach is not correct!! Since we have rotated A’ going to A’’, we will need to calculate the dot product vertically like this for the first column :

{\begin{pmatrix} {636} & {116} & 636 & \textcolor{orange}{535} \\ 8 & 416 & 5 & \textcolor{orange}{213} \\ 635 & 330 & 637 & \textcolor{orange}{321} \\ 4 & 634 & 324 & \textcolor{orange}{320} \\ 640 & 536 & 640 & \textcolor{orange}{107} \\ 0 & 0 & 0 & \textcolor{orange}{0} \\ \end{pmatrix}} \begin{pmatrix} \textcolor{orange}{1} \\ \textcolor{orange}{3} \\ \textcolor{orange}{9} \\ \textcolor{orange}{27} \\ \textcolor{orange}{30} \\ \textcolor{orange}{35} \end{pmatrix} = 529\textcolor{orange}{x^3} + 359\textcolor{orange}{x^2} + 354\textcolor{orange}{x} + 43

\begin{align*} &(535 \times 1) + (213 \times 3) + (321 \times 9) + (320 \times 27) + (107 \times 30) + (0 \times 35) \\ & 535 + 639 + 2889 + 8640 + 3210 + 0 = 15913\\ \end{align*}

We do the same thing for all 4 columns while applying $GF(641)$ :

\begin{align*} & \text{1st column : } 15913 \textcolor{orange}{x^3} \\ & 15913 \textcolor{orange}{x^3} \mod 641 = 529\textcolor{orange}{x^3} \\ & \text{2nd column : } 34332 \textcolor{orange}{x^2} \\ & 34332 \textcolor{orange}{x^2} \mod 641 = 359\textcolor{orange}{x^2} \\ & \text{3rd column : } 37532\textcolor{orange}{x} \\ & 37532\textcolor{orange}{x} \mod 641 = 354\textcolor{orange}{x} \\ & \text{4th column : } 25683 \\ & 25683 \mod 641 = 43 \end{align*}

or we can rotate the vector A’’ to get 4 rows and 6 columns instead of 6 rows and 4 columns and do the dot product as we usually do it, horizontally.

For vector B’’ :

{\begin{pmatrix} 3 & 529 & 323 & 427 \\ 639 & 112 & 318 & 214 \\ 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 \\ \end{pmatrix}} \begin{pmatrix} 1 \\ 3 \\ 9 \\ 27 \\ 30 \\ 35 \end{pmatrix} = 428\textcolor{orange}{x^3} + 636\textcolor{orange}{x^2} + 224\textcolor{orange}{x} + 638

\begin{align*} & \text{1st column : } 1069\textcolor{orange}{x^3} \\ & 1069\textcolor{orange}{x^3} \mod 641 = 428\textcolor{orange}{x^3} \\ & \text{2nd column : } 1277\textcolor{orange}{x^2}\\ & 1277\textcolor{orange}{x^2} \mod 641 = 636\textcolor{orange}{x^2} \\ & \text{3rd column : } 865\textcolor{orange}{x} \\ & 865\textcolor{orange}{x} \mod 641 = 224\textcolor{orange}{x} \\ & \text{4th column : } 1920 \\ & 1920 \mod 641 = 638 \end{align*}

For vector C’’ :

{\begin{pmatrix} 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 \\ 4 & 423 & 322 & 534 \\ 635 & 330 & 637 & 321 \\ 4 & 634 & 324 & 320 \\ 640 & 536 & 640 & 107 \\ \end{pmatrix} } \begin{pmatrix} 1 \\ 3 \\ 9 \\ 27 \\ 30 \\ 35 \end{pmatrix} = 537\textcolor{orange}{x^3} + 296\textcolor{orange}{x^2} + 499\textcolor{orange}{x} + 600

\begin{align*} & \text{1st column : } 26818\textcolor{orange}{x^3} \\ & 26818\textcolor{orange}{x^3} \mod 641 = 537\textcolor{orange}{x^3} \\ & \text{2nd column : } 52217\textcolor{orange}{x^2} \\ & 52217\textcolor{orange}{x^2} \mod 641 = 296\textcolor{orange}{x^2} \\ & \text{3rd column : } 50497\textcolor{orange}{x} \\ & 50497\textcolor{orange}{x} \mod 641 = 499\textcolor{orange}{x} \\ & \text{4th column : } 39701 \\ & 39701 \mod 641 = 600 \end{align*}

So by taking the dot product of S with each of matrix A’’, B’’, C’’, we created 3 polynomials.

\begin{align*} & (A''.S) = 529\textcolor{orange}{x^3} + 359\textcolor{orange}{x^2} + 354\textcolor{orange}{x} + 43 \\ & (B''.S) = 428\textcolor{orange}{x^3} + 636\textcolor{orange}{x^2} + 224\textcolor{orange}{x} + 638 \\ & (C''.S) = 537\textcolor{orange}{x^3} + 296\textcolor{orange}{x^2} + 499\textcolor{orange}{x} + 600 \end{align*}

We can define a new polynomial :

T = (A''.S) \times (B''.S) - (C''.S)

{\small T = {\begin{pmatrix} 636 & 116 & 636 & 535 \\ 213 & 5 & 416 & 8 \\ 635 & 330 & 637 & 321 \\ 4 & 634 & 324 & 320 \\ 640 & 536 & 640 & 107 \\ 0 & 0 & 0 & 0 \\ \end{pmatrix}} \begin{pmatrix} 1 \\ 3 \\ 9 \\ 27 \\ 30 \\ 35 \end{pmatrix} \times {\begin{pmatrix} 3 & 529 & 323 & 427 \\ 639 & 112 & 318 & 214 \\ 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 \\ \end{pmatrix}} \begin{pmatrix} 1 \\ 3 \\ 9 \\ 27 \\ 30 \\ 35 \end{pmatrix} - {\begin{pmatrix} 0 & 0 & 0 & 0 \\ 0 & 0 & 0 & 0 \\ 4 & 423 & 322 & 534 \\ 635 & 330 & 637 & 321 \\ 4 & 634 & 324 & 320 \\ 640 & 536 & 640 & 107 \\ \end{pmatrix}} \begin{pmatrix} 1 \\ 3 \\ 9 \\ 27 \\ 30 \\ 35 \end{pmatrix} }

\begin{align*} & {\small T(x) =(529\textcolor{orange}{x^3} + 359\textcolor{orange}{x^2} + 354\textcolor{orange}{x} + 43) \times (428\textcolor{orange}{x^3} + 636\textcolor{orange}{x^2} + 224\textcolor{orange}{x} + 638 ) - (537\textcolor{orange}{x^3} + 296\textcolor{orange}{x^2} + 499\textcolor{orange}{x} + 600) } \\ & T(x) = 139\textcolor{orange}{x^6} + 372\textcolor{orange}{x^5} + 275\textcolor{orange}{x^4} + 58\textcolor{orange}{x^3} + 147\textcolor{orange}{x^2} + 379\textcolor{orange}{x} + 553 \end{align*}

In the R1S, we had checked if $(A.S)∗(B.S)-(C.S) = 0$ for each of the Gates. After conversion to QAP, we can do the same by checking the value of $T$ at $x$ at $1,2,3,4$ - if all 4 are zero, then we have checked all the constraints together - thereby proving that the solution vector known to the Provers satisfies the equation.

T(1) = T(2) = T(3) = T(4) = 0

Let take a value, for example $3$ at lets check if its $0$ for $T(3)$ :

\begin{align*} & T(3) = 139 \times \textcolor{orange} {3^6} + 372 \times \textcolor{orange} {3^5} + 275 \times \textcolor{orange} {3^4} + 58 \times \textcolor{orange}{3^3} + 147\times \textcolor{orange}{3^2} + 379 \times \textcolor{orange}{3} + 553 \\ & T(3) = 218581 \mod 641 = 0 \end{align*}

However, the Verifier doesn’t know the polynomial $T$ , nor can he compute it since he doesn’t know the solution vector S. So the Prover has to prove it to the Verifier that $T$ is zero at $x \in [1,2,3,4]$ . If T is really zero at $x \in [1,2,3,4]$ , then we say that these are all roots of $T$ . So we create a new polynomial $Z$ known by both the Prover & the Verifier. If $T$ is perfectly divisible by $Z$ , then it will leave no remainder.

Let $Z$ be :

Z = (x-1) \times (x-2) \times (x-3) \times (x-4)

So there must exist a Polynomial $H$ such that :

T(x)=H(x) \times Z(x)

H(x) = \frac {T(x)} {Z(x)} = \frac{ 139\textcolor{orange}{x^6} + 372\textcolor{orange}{x^5} + 275\textcolor{orange}{x^4} + 58\textcolor{orange}{x^3} + 147\textcolor{orange}{x^2} + 379\textcolor{orange}{x} + 553 } {((x-1) \times (x-2) \times (x-3) \times (x-4))} = 0

In real life $T$ won’t be equal to 0. If it was 0, the Prover can act maliciously and prove that $H(x) = 0$ for any kind of polynomial $Z(x)$ . This was just an example. If you structure vector $S$ like this $[\textcolor{orange}{1},\textcolor{orange}{35},3,9,27,30]$ , $T(x)$ will equal to :

Usually they put the dummy variables like 1 or the output $d = 35$ at the start or/and in the end of the vector so this structure is also true : $[\textcolor{orange}{1},\textcolor{orange}{35},3,9,27,30,\textcolor{orange}{35},\textcolor{orange}{1}]$ or $[\textcolor{orange}{1},\textcolor{orange}{35},3,9,27,30]$ .

In a typical zk-SNARK, the Prover proves that $Z$ exactly divides $T$ using Polynomial Commitments & Elliptic Curve Bilinear Pairings.

This is the end of our article. Hope it wasn’t hard to understand. To make sure you fully understood, you can try different structures of vector S then check that $T(x) = 0$ for $x \in [1,2,3,4]$ and $H(x) = \frac {T(x)} {Z(x)}$ has no a remainder of 0.

Subscribe to FarFromAverage

Receive the latest updates directly to your inbox.

Mint this entry as an NFT to add it to your collection.

Verification

This entry has been permanently stored onchain and signed by its creator.

Arweave Transaction

i4tpcyR2vMTuRWD…0jb6m9Oy2XIAeA4

Author Address

0xB6756bA4C2a7ED5…4F191B9B63595B0

Content Digest

srh5_CFlOQSAAww…qjFLPD9O-qzycco