Evaluating a Quadratic Arithmetic Program on a Trusted Setup

Evaluating a Quadratic Arithmetic Program (QAP) on a trusted setup enables a prover to demonstrate that a QAP is satisfied without revealing the witness while using a constant sized proof.

Specifically, the QAP polynomials are evaluated at an unknown point τ\tau. The QAP equation

i=1maiui(x)i=1maivi(x)=i=1maiwi(x)+h(x)t(x)\sum_{i=1}^m a_iu_i(x)\sum_{i=1}^m a_iv_i(x) = \sum_{i=1}^m a_iw_i(x) + h(x)t(x)

will be balanced if the vector a\mathbf{a} satisfies the equation, and unbalanced with overwhelming probability otherwise.

The scheme shown here is not a secure ZK Proof, but it is a stepping stone towards showing how Groth16 works.

A Concrete Example

To make this a little less abstract, let’s say that matrices of the Rank 1 Constraint System (R1CS) L\mathbf{L}, R\mathbf{R}, and O\mathbf{O} have 3 rows and 4 columns.

LaRa=Oa\mathbf{L}\mathbf{a} \circ \mathbf{R}\mathbf{a} = \mathbf{O}\mathbf{a}

Since we have 3 rows, it means our interpolating polynomials will be of degree 2. Because we have 4 columns, each matrix will result in 4 polynomials (for a total of 12 polynomials).

Our QAP will be

i=14aiui(x)i=14aivi(x)=i=14aiwi(x)+h(x)t(x)\sum_{i=1}^4a_iu_i(x)\sum_{i=1}^4a_iv_i(x) = \sum_{i=1}^4a_iw_i(x) + h(x)t(x)

Notation and Preliminaries

We refer to the generators elliptic curve points in the groups G1\mathbb{G}_1 and G2\mathbb{G}_2 as G1G_1 and G2G_2 respectively. An element in G1\mathbb{G}_1 is denoted as [X]1[X]_1. An element in G2\mathbb{G}_2 is denoted as [X]2[X]_2. Where there might be ambiguity with the subscripts referring to indices in a list, we say XG1X \in \mathbb{G}_1 or XG2X \in \mathbb{G}_2. An elliptic curve pairing between two points is denoted as [X]1[Y]2[X]_1 \bullet [Y]_2.

Let L(,j)\mathbf{L}_{(*,j)} be the jj-th column of L\mathbf{L}. In our example, the rows will be (1,2,3)(1,2,3) and the columns (1,2,3,4)(1,2,3,4). Let L(L(,j))\mathcal{L}(\mathbf{L}_{(*,j)}) be the polynomial obtained from running Lagrange interpolation on the jj-th column of L\mathbf{L} using the xx values (1,2,3)(1,2,3) and the yy values being the values of the jj-th column.

Since we have 4 columns, we obtain four polynomials from L\mathbf{L}

u1(x)=L(L(,1))=u12x2+u11x+u10u2(x)=L(L(,2))=u22x2+u21x+u20u3(x)=L(L(,3))=u32x2+u31x+u30u4(x)=L(L(,4))=u42x2+u41x+u40\begin{align*} u_1(x) = \mathcal{L}(\mathbf{L}_{(*,1)}) =u_{12}x^2 + u_{11}x+u_{10}\\ u_2(x) = \mathcal{L}(\mathbf{L}_{(*,2)}) =u_{22}x^2 + u_{21}x+u_{20}\\ u_3(x) = \mathcal{L}(\mathbf{L}_{(*,3)}) =u_{32}x^2 + u_{31}x+u_{30}\\ u_4(x) = \mathcal{L}(\mathbf{L}_{(*,4)}) =u_{42}x^2 + u_{41}x+u_{40}\\ \end{align*}

four polynomials from R\mathbf{R}

v1(x)=L(R(,1))=v12x2+v11x+v10v2(x)=L(R(,2))=v22x2+v21x+v20v3(x)=L(R(,3))=v32x2+v31x+v30v4(x)=L(R(,4))=v42x2+v41x+v40\begin{align*} v_1(x) = \mathcal{L}(\mathbf{R}_{(*,1)}) =v_{12}x^2 + v_{11}x+v_{10}\\ v_2(x) = \mathcal{L}(\mathbf{R}_{(*,2)}) =v_{22}x^2 + v_{21}x+v_{20}\\ v_3(x) = \mathcal{L}(\mathbf{R}_{(*,3)}) =v_{32}x^2 + v_{31}x+v_{30}\\ v_4(x) = \mathcal{L}(\mathbf{R}_{(*,4)}) =v_{42}x^2 + v_{41}x+v_{40}\\ \end{align*}

and four polynomials from O\mathbf{O}

w1(x)=L(O(,1))=w12x2+w11x+w10w2(x)=L(O(,2))=w22x2+w21x+w20w3(x)=L(O(,3))=w32x2+w31x+w30w4(x)=L(O(,4))=w42x2+w41x+w40\begin{align*} w_1(x) = \mathcal{L}(\mathbf{O}_{(*,1)}) =w_{12}x^2 + w_{11}x+w_{10}\\ w_2(x) = \mathcal{L}(\mathbf{O}_{(*,2)}) =w_{22}x^2 + w_{21}x+w_{20}\\ w_3(x) = \mathcal{L}(\mathbf{O}_{(*,3)}) =w_{32}x^2 + w_{31}x+w_{30}\\ w_4(x) = \mathcal{L}(\mathbf{O}_{(*,4)}) =w_{42}x^2 + w_{41}x+w_{40}\\ \end{align*}

A polynomial pijp_{ij} means the ii-th polynomial of the and the jj-th coefficient (power). For example, j=2j=2 means the coefficient associated with x2x^2.

The QAP for our example is

i=14aiui(x)i=14aivi(x)=i=14aiwi(x)+h(x)t(x)\sum_{i=1}^4a_iu_i(x)\sum_{i=1}^4a_iv_i(x) = \sum_{i=1}^4a_iw_i(x) + h(x)t(x)

where t(x)=(x1)(x2)(x3)t(x) = (x - 1)(x - 2)(x - 3) and h(x)h(x) is

h(x)=i=14aiui(x)i=14aivi(x)i=14aiwi(x)t(x)h(x)=\frac{\sum_{i=1}^4a_iu_i(x)\sum_{i=1}^4a_iv_i(x) - \sum_{i=1}^4a_iw_i(x)}{t(x)}

The degrees of the polynomials in the QAP with respect to the size of the R1CS

A couple observations about the degrees of the polynomials in the general case:

  • The degree of u(x)u(x) and v(x)v(x) could be as high as n1n - 1 because they interpolate nn points, where nn is the number of rows in the R1CS.
  • The degree of w(x)w(x) could be as low as 0 if the sum of the polynomials i=0maiwi(x)\sum_{i=0}^m a_iw_i(x) adds up to the zero polynomial, that is, the coefficients additively cancel each other out.
  • t(x)t(x) is degree nn by definition.
  • Multiplying polynomials adds their degrees together, and dividing polynomials subtracts their degrees.

Therefore, h(x) will be at most n2n - 2 because

n1degu(x)+n1degv(x)ndegt(x)=n2\underbrace{n - 1}_{ \deg{u(x)}} + \underbrace{n - 1}_{\deg{v(x)}} - \underbrace{n}_{\deg{t(x)}} = n - 2

Expanding the terms

If we expand the sums from our previous example, we get the following

i=14aiui(x)=a1(u12x2+u11x+u10)+a2(u22x2+u21x+u20)+a3(u32x2+u31x+u30)+a4(u42x2+u41x+u40)=(a1u12+a2u22+a3u32+a4u42)x2+(a1u11+a2u21+a3u31+a4u41)x+(a1u10+a2u20+a3u30+a4u40)=u2ax2+u1ax+u0ai=14aivi(x)=a1(v12x2+v11x+v10)+a2(v22x2+v21x+v20)+a3(v32x2+v31x+v30)+a4(v42x2+v41x+v40)=(a1v12+a2v22+a3v32+a4v42)x2+(a1v11+a2v21+a3v31+a4v41)x+(a1v10+a2v20+a3v30+a4v40)=v2ax2+v1ax+v0ai=14aiwi(x)=a1(w12x2+w11x+w10)+a2(w22x2+w21x+w20)+a3(w32x2+w31x+w30)+a4(w42x2+w41x+w40)=(a1w12+a2w22+a3w32+a4w42)x2+(a1w11+a2w21+a3w31+a4w41)x+(a1w10+a2w20+a3w30+a4w40)=w2ax2+w1ax+w0a\begin{align*} \sum_{i=1}^4 a_iu_i(x) &= a_1(u_{12}x^2 + u_{11}x+u_{10}) + a_2(u_{22}x^2 + u_{21}x+u_{20}) + a_3(u_{32}x^2 + u_{31}x+u_{30}) + a_4(u_{42}x^2 + u_{41}x+u_{40})\\ &= (a_1u_{12}+a_2u_{22}+a_3u_{32}+a_4u_{42})x^2 + (a_1u_{11}+a_2u_{21}+a_3u_{31}+a_4u_{41})x + (a_1u_{10}+a_2u_{20}+a_3u_{30}+a_4u_{40})\\ &=u_{2a}x^2+u_{1a}x+u_{0a}\\ \sum_{i=1}^4 a_iv_i(x) &= a_1(v_{12}x^2 + v_{11}x+v_{10}) + a_2(v_{22}x^2 + v_{21}x+v_{20}) + a_3(v_{32}x^2 + v_{31}x+v_{30}) + a_4(v_{42}x^2 + v_{41}x+v_{40})\\ &= (a_1v_{12}+a_2v_{22}+a_3v_{32}+a_4v_{42})x^2 + (a_1v_{11}+a_2v_{21}+a_3v_{31}+a_4v_{41})x + (a_1v_{10}+a_2v_{20}+a_3v_{30}+a_4v_{40})\\ &=v_{2a}x^2+v_{1a}x+v_{0a}\\ \sum_{i=1}^4 a_iw_i(x) &= a_1(w_{12}x^2 + w_{11}x+w_{10}) + a_2(w_{22}x^2 + w_{21}x+w_{20}) + a_3(w_{32}x^2 + w_{31}x+w_{30}) + a_4(w_{42}x^2 + w_{41}x+w_{40})\\ &= (a_1w_{12}+a_2w_{22}+a_3w_{32}+a_4w_{42})x^2 + (a_1w_{11}+a_2w_{21}+a_3w_{31}+a_4w_{41})x + (a_1w_{10}+a_2w_{20}+a_3w_{30}+a_4w_{40})\\ &=w_{2a}x^2+w_{1a}x+w_{0a}\\ \end{align*}

In each of the cases, since we are adding 4 degree 2 polynomials, we get a degree 2 polynomial.

In general expression i=1maipi(x)\sum_{i=1}^m a_ip_i(x) produces a polynomial with at most the same power as p(x)p(x) (it could be less, if for example (a1w12+a2w22+a3w32+a4w42)x2(a_1w_{12}+a_2w_{22}+a_3w_{32}+a_4w_{42})x^2 added up to 0). For convenience, we have introduced the coefficients piap_{ia} where ii is the power of the coefficient and a_a means we combined the polynomials with the witness a\mathbf{a}.

Here are the polynomials after reducing the polynomials in this manner:

i=14aiui(x)=u2ax2+u1ax+u0ai=14aivi(x)=v2ax2+v1ax+v0ai=14aiwi(x)=w2ax2+w1ax+w0a\begin{align*} \sum_{i=1}^4 a_iu_i(x) &= u_{2a}x^2+u_{1a}x+u_{0a}\\ \sum_{i=1}^4 a_iv_i(x) &= v_{2a}x^2+v_{1a}x+v_{0a}\\ \sum_{i=1}^4 a_iw_i(x) &= w_{2a}x^2+w_{1a}x+w_{0a}\\ \end{align*}

Combining a trusted setup with a QAP

We can now apply the structured reference string from the trusted setup to evaluate the polynomials.

That is, given a structured reference string

[Ω2,Ω1,G1],[Θ2,Θ1,G2], ΩiG1, ΘiG2[\Omega_2, \Omega_1, G_1], [\Theta_2, \Theta_1, G_2], \space\Omega_i \in \mathbb{G}_1, \space\Theta_i \in \mathbb{G}_2

which was computed in the trusted setup as

[Ω2,Ω1,G1]=[τ2G1,τG1,G1], ΩiG1[Θ2,Θ1,G2]=[τ2G2,τG2,G2], ΘiG2\begin{align*} [\Omega_2, \Omega_1, G_1] &= [\tau^2G_1, \tau G_1, G_1], \space\Omega_i \in \mathbb{G}_1\\ [\Theta_2, \Theta_1, G_2] &= [\tau^2G_2, \tau G_2, G_2], \space\Theta_i \in \mathbb{G}_2 \end{align*}

We can compute

[A]1=i=14aiui(τ)=[u2a,u1a,u0a],[Ω2,Ω1,G1][B]2=i=14aivi(τ)=[v2a,v1a,v0a],[Θ2,Θ1,G2][C]1=i=14aiwi(τ)=[v2a,v1a,v0a],[Ω2,Ω1,G1]\begin{align*} [A]_1 &=\sum_{i=1}^4 a_iu_i(\tau) = \langle[u_{2a}, u_{1a}, u_{0a}],[\Omega_2, \Omega_1, G_1]\rangle\\ [B]_2 &=\sum_{i=1}^4 a_iv_i(\tau) = \langle[v_{2a}, v_{1a}, v_{0a}],[\Theta_2, \Theta_1, G_2]\rangle\\ [C]_1 &=\sum_{i=1}^4 a_iw_i(\tau) = \langle[v_{2a}, v_{1a}, v_{0a}],[\Omega_2, \Omega_1, G_1]\rangle \\ \end{align*}

Here, ui(τ),vi(τ),wi(τ)u_i(\tau), v_i(\tau), w_i(\tau) mean the polynomials were evaluated using the structured reference string generated from τ\tau in the trusted setup, it does not mean “plug in τ\tau and evaluate the polynomials”. Since τ\tau was destroyed after the trusted setup, the value τ\tau is unknown.

We have computed most of the QAP using the srs, but we haven’t computed h(x)t(x)h(x)t(x) yet:

i=1maiui(x)[A]1i=1maivi(x)[B]2=i=1maiwi(x)[C]1+h(x)t(x)??\underbrace{\sum_{i=1}^m a_iu_i(x)}_{[A]_1}\underbrace{\sum_{i=1}^m a_iv_i(x)}_{[B]_2} = \underbrace{\sum_{i=1}^m a_iw_i(x)}_{[C]_1} + \underbrace{h(x)t(x)}_{??}

Computing h(x)t(x)h(x)t(x)

Recall that the degree of t(x)t(x) is 3 (generally nn) and the degree of h(x)h(x) is 1 (generally n2n - 2). If we multiply these together, we could get up to a degree 3 polynomial, which is more than the powers of tau ceremony provides. Instead, the powers of tau ceremony must be adjusted to provide a structured reference string for h(x)t(x)h(x)t(x).

The person doing the trusted setup knows t(x)t(x), it is simply (x1)(x2)...(xn)(x - 1)(x - 2)...(x - n). However, h(x)h(x) is a polynomial computed by the prover and changed based on the values of a\mathbf{a}, so it cannot be known during the trusted setup.

Note that we cannot evaluate h(τ)h(\tau) and t(τ)t(\tau) separately (using a structured reference string) and then pair them together. That would not result in a G1\mathbb{G}_1 element which we need.

SRS for polynomial products

Observe that the following computations all result in the same value:

  • The polynomial h(x)t(x)h(x)t(x) evaluated at uu, or (h(x)t(x))(u)(h(x)t(x))(u)
  • h(u)h(u) multiplied by t(u)t(u), or h(u)t(u)h(u)t(u) (hh evaluated at uu and tt evaluated at uu)
  • h(x)h(x) multiplied by the evaluation t(u)t(u), then evaluated at uu, i.e. (h(x)t(u))(u)(h(x)t(u))(u)

We will use the third method to compute h(τ)t(τ)h(\tau)t(\tau). Suppose, without loss of generality, that h(x)h(x) is 3x2+6x+23x^2 + 6x + 2 and t(u)=4t(u) = 4. The computation would be

h(x)t(u)=(3x2+6x+2)4=12x2+24x+8h(x)t(u) = (3x^2 + 6x + 2) \cdot 4 = 12x^2 + 24x + 8

If we plug in uu to the 12x2+24x+812x^2 + 24x + 8, that would be h(u)t(u)h(u)t(u).

However, evaluating this polynomial at τ\tau would require the prover to know τ\tau. The key insight here is that the computation above can be structured as:

h(u)t(u)=[3,6,2],[4u2,4u,4]=12u2+24u+8h(u)t(u) = \langle[3, 6, 2], [4u^2, 4u, 4]\rangle=12u^2+24u+8

If the trusted setup provides [4u2,4u,4][4u^2, 4u, 4], and the prover provides [3,6,2][3, 6, 2], then the prover can compute h(u)t(u)h(u)t(u) without knowing uu, because anything involving uu is in the right vector of the inner product.

Structured reference string for h(τ)t(τ)h(\tau)t(\tau)

To create a structured reference string for h(τ)t(τ)h(\tau)t(\tau), we create n1n - 1 evaluations of t(τ)t(\tau) multiplied by successive powers of τ\tau.

[Υn2,Υn3,...,Υ1,Υ0]=[τn2t(τ)G1,τn3t(τ)G1,...,τt(τ)G1,t(τ)G1][\Upsilon_{n-2}, \Upsilon_{n-3}, ..., \Upsilon_1, \Upsilon_0] = [\tau^{n-2}t(\tau)G_1, \tau^{n-3}t(\tau)G_1, ..., \tau t(\tau)G_1, t(\tau)G_1]

(Somewhat confusingly, a polynomial of degree kk has k+1k+1 terms, hence we generate k1k - 1 evaluations for a polynomial of degree k2k - 2. Note that Upsilon starts at n1{n-1} and ends at 0).

Here, nn is the number of rows in the R1CS, and we established that hh cannot have a degree greater than n2n - 2.

To use the structured reference string to compute h(τ)t(τ)h(\tau)t(\tau), the prover does:

h(τ)t(τ)=[hn2,hn3,...,h1,h0],[Υn2,Υn3,...,Υ1,Υ0]h(\tau)t(\tau) = \langle[h_{n-2}, h_{n-3}, ..., h_1, h_0], [\Upsilon_{n-2}, \Upsilon_{n-3}, ..., \Upsilon_1, \Upsilon_0] \rangle

Evaluating a QAP on a trusted setup

We now tie everything together. Suppose we have a R1CS with matrices of nn rows and mm columns. From this, we can apply Lagrange interpolation to convert it to a QAP

i=1maiui(x)i=1maivi(x)=i=1maiwi(x)+h(x)t(x)\sum_{i=1}^m a_iu_i(x)\sum_{i=1}^m a_iv_i(x) = \sum_{i=1}^m a_iw_i(x) + h(x)t(x)

The sum terms will each produce a polynomial of degree n1n - 1 (a Lagrange polynomial has one less degree than the number of points it interpolates), and the h(x)h(x) polynomial will have degree at most n2n - 2, and t(x)t(x) will have degree nn.

A trusted setup generates a random field element τ\tau and computes:

[Ωn1,Ωn2,...,Ω1,G1]=[τn1G1,τn2G1,,τG1,G1][Θn1,Θn2,...,Θ1,G2]=[τn1G2,τn2G2,,τG2,G2][Υn2,Υn3,...,Υ1,Υ0]=[τn2t(τ)G1,τn3t(τ)G1,...,τt(τ)G1,t(τ)G1]\begin{align*} [\Omega_{n-1},\Omega_{n-2},..., \Omega_1, G_1] &= [\tau^{n-1}G_1, \tau^{n-2}G_1,\dots, \tau G_1, G_1]\\ [\Theta_{n-1}, \Theta_{n-2}, ..., \Theta_1, G_2] &= [\tau^{n-1}G_2, \tau^{n-2}G_2,\dots, \tau G_2, G_2]\\ [\Upsilon_{n-2}, \Upsilon_{n-3}, ..., \Upsilon_1, \Upsilon_0] &= [\tau^{n-2}t(\tau)G_1, \tau^{n-3}t(\tau)G_1, ..., \tau t(\tau)G_1, t(\tau)G_1] \end{align*}

Note that the structured reference strings need to have enough terms to accomodate the polynomials in the QAP.

Then the trusted setup destroys τ\tau and publishes the structured reference strings:

([Ω2,Ω1,G1],[Θ2,Θ1,G2],[Υn2,Υn3,...,Υ1,Υ0])([\Omega_2, \Omega_1, G_1], [\Theta_2, \Theta_1, G_2], [\Upsilon_{n-2}, \Upsilon_{n-3}, ..., \Upsilon_1, \Upsilon_0])

The prover evaluates the components of the QAP as follows:

i=1maiui(x)Ai=1maivi(x)B=i=1maiwi(x)+h(x)t(x)C\underbrace{\sum_{i=1}^m a_iu_i(x)}_{A}\underbrace{\sum_{i=1}^m a_iv_i(x)}_B = \underbrace{\sum_{i=1}^m a_iw_i(x) + h(x)t(x)}_{C}
[A]1=i=1maiui(τ)=[un1a,un2a,,u1a,u0a],[Ωn1,Ωn2,,Ω1,G1][B]2=i=1maivi(τ)=[vn1a,vn2a,,v1a,v0a],[Θn1,Θn2,,Θ1,G2][C]1=i=0maiwi(τ)+h(τ)t(τ)=[wn1a,wn2a,,w1a,w0a],[Ωn1,Ωn2,,Ω1,G1]+[hn2,hn3,,h1,h0],[Υn2,Υn3,,Υ1,Υ0]\begin{align*} [A]_1 &=\sum_{i=1}^m a_iu_i(\tau) = \langle[u_{{n-1}a}, u_{{n-2}a}, \dots, u_{1a}, u_{0a}],[\Omega_{n-1}, \Omega_{n-2}, \dots, \Omega_1, G_1]\rangle\\ [B]_2 &=\sum_{i=1}^m a_iv_i(\tau) = \langle[v_{{n-1}a}, v_{{n-2}a}, \dots, v_{1a}, v_{0a}],[\Theta_{n-1}, \Theta_{n-2}, \dots, \Theta_1, G_2]\rangle\\ [C]_1 &=\sum_{i=0}^m a_iw_i(\tau) + h(\tau)t(\tau) = \langle[w_{{n-1}a}, w_{{n-2}a}, \dots, w_{1a}, w_{0a}],[\Omega_{n-1}, \Omega_{n-2}, \dots, \Omega_1, G_1]\rangle \\ &+\langle[h_{n-2}, h_{n-3}, \dots, h_1, h_0], [\Upsilon_{n-2}, \Upsilon_{n-3}, \dots, \Upsilon_1, \Upsilon_0] \rangle\\ \end{align*}

The prover publishes ([A]1,[B]2,[C]1)([A]_1, [B]_2, [C]_1) and the verifier can check that

[A]1[B]2=?[C]1G2[A]_1 \bullet [B]_2 \stackrel{?}= [C]_1 \bullet G_2

If the witness a\mathbf{a} satisfies the QAP, then the equation above will be balanced. But the equation being balanced doesn’t ensure the prover knows a satisfying a\mathbf{a} because the prover can publish arbitrary elliptic curve points and the verifier doesn’t know if they are actually derived from the QAP.

The proof is very small

Observe that the proof only consists of three elliptic curve points. If a G1\mathbb{G}_1 element is 64 bytes large, and a G2\mathbb{G}_2 element is 128 bytes large, then the proof is only 256 bytes. This is true regardless of the size of the R1CS!

The larger the R1CS, the more work the prover has, but the verifier’s work remains constant.

The solution to this problem is described in the next chapter on the Groth16 protocol.

The proof still remains of constant size in Groth16 as can be seen in the Tornado Cash source code on the struct
called Proof.

Originally Published August 28, 2023

Ready to Get Started?Join Thousands of Users Today

Start your free trial now and experience the difference. No credit card required.

© 2025 Better-Start. All rights reserved.

Product

Resources

Company

Legal