zcash官方介绍 zk-SNARK circuit->QAP转化

除了V神的博客值得推荐外，zcash官方的blog也做了形象的解释。也可参看本人另一篇博文<Vitalik Buterin Quardratic Arithmetic Programs: from Zero to Hero 实现>，有更直观的了解。

在zcash官方blog Explaining SNARKs Part V: From Computations to Polynomials，中：

Suppose Alice wants to prove to Bob she knows c1,c2,c3∈Fp such that (c1⋅c2)⋅(c1+c3)=7. The first step is to present the expression computed from c1,c2,c3as an arithmetic circuit.

对应的Arithmetic circuits 为：

A legal assignment for the circuit, is an assignment of values to the labeled wires where the output value of each multiplication gate is indeed the product of the corresponding inputs. So for our circuit, a legal assignment is of the form: (c1,…,c5 where c4=c1⋅c2 and c5=c4⋅(c1+c3). In this terminology, what Alice wants to prove is that she knows a legal assignment (c1,…,c5)such that c5=7. The next step is to translate this statement into one about polynomials using QAPs.

计算中，只需考虑乘法门，以上图为例：w1/w2/w4分别g1的左侧输入/右侧输入和输出；w1和w3为g2的右侧输入，w4为g2的左侧输入，w5为g2的输出。

假设对应g1门关联1，g2门关联2，则{1,2}为目标点。
We associate each multiplication gate with a field element: g1 will be associated with 1∈Fp and g2 with 2∈Fp. We call the points {1,2} our target points. Now we need to define a set of “left wire polynomials” L1,…,L5, “right wire polynomials” R1,…,R5 and “output wire polynomials” O1,…,O5.

The idea for the definition is that the polynomials will usually be zero on the target points, except the ones involved in the target point’s corresponding multiplication gate.