Part 2 of a 4-part series. In Part 1,<\/a> we built the mental model. In Part 3<\/a>, we\u2019ll cover zero-knowledge and Groth16. Part 4 re-implements TornadoCash.<\/p>\n I know this post is a little bit long, but trust me it\u2019s better to have all the math in one place rather than trying to figure out what is happening in several\u00a0posts.<\/p>\n In the previous post we built the intuition. A prover convinces a verifier that they know<\/strong> something, without revealing what they\u00a0know.<\/p>\n Now let\u2019s open the\u00a0hood.<\/p>\n How does a piece of code, like x\u00b3 + x + 5 = 35, become a cryptographic proof that is only 200 bytes<\/strong> and takes about 1 millisecond<\/strong> to\u00a0verify?<\/p>\n That\u2019s not metaphor. That\u2019s what zkSNARKs<\/strong> actually\u00a0deliver.<\/p>\n To get there, we\u2019ll walk through four big\u00a0ideas:<\/p>\n Turning computation into\u00a0gates<\/strong>Turning gates into constraints<\/strong> (R1CS)Turning constraints into a single polynomial equation<\/strong>\u00a0(QAP)Using elliptic curve pairings<\/strong> to check that equation without revealing anything<\/p>\n No magic. Just careful layering. And at every step, real numbers you can verify yourself (I strongly suggest to the math by yourself, so it\u2019s better to bring pen and\u00a0paper)<\/strong>.<\/p>\n Let\u2019s start.<\/p>\n We want to\u00a0prove:<\/p>\n \u201cI know a value x such that x\u00b3 + x + 5 =\u00a035\u201d<\/p>\n Without revealing x.<\/p>\n Spoiler: x = 3. But the prover will never say that. The verifier will just get a 200-byte proof, and a \u201cyes, they know\u00a0it.\u201d<\/p>\n This is a tiny toy. Real zkSNARKs prove things like \u201cI performed a valid Zcash transaction\u201d or \u201cthis ML model was evaluated correctly.\u201d But the machinery is identical. If you understand x\u00b3 + x + 5, you can understand Zcash.<\/p>\n A computer doesn\u2019t \u201cknow\u201d algebra. It knows how to add, and how to multiply. Everything else is built on\u00a0top.<\/p>\n So the first step of any zkSNARK is to flatten<\/strong> the computation into a sequence of very simple statements\u200a\u2014\u200aeach one either an addition or a multiplication.<\/p>\n Every statement must look\u00a0like:<\/p>\n variable = variable (op) variable<\/p>\n Where op is +, -, *, or \/. And each operation takes exactly two\u00a0inputs<\/strong>.<\/p>\n No nested expressions. No \u201cdo three things at once.\u201d Just one operation per\u00a0line.<\/p>\n Three reasons, each important:<\/p>\n 1. It matches how real CPUs work.<\/strong> An ADD r1, r2, r3 instruction means “add r2 to r3, store in r1.” Flattening is essentially the assembly-language trace of your\u00a0program.<\/p>\n 2. Every intermediate value gets named.<\/strong> If your computation has unnamed sub-expressions, you can\u2019t pin them down cryptographically. By naming every intermediate, we create variables the prover must commit\u00a0to.<\/p>\n 3. It maps cleanly to the next step.<\/strong> Each multiplication gate will become exactly one row of R1CS. If we allowed 3-input gates, that clean 1-to-1 mapping would\u00a0break.<\/p>\n The expression x\u00b3 + x + 5 isn’t atomic. Let’s break it\u00a0down:<\/p>\n sym_1 = x * x \u2190 computes x\u00b2 Three lines. Each one a single\u00a0gate.<\/p>\n Every intermediate value gets its own name (sym_1, sym_2). These names matter\u200a\u2014\u200athey become witness variables<\/strong> later.<\/p>\n Picture this as a circuit\u200a\u2014\u200aa network of gates wired together:<\/p>\n x\u00b3 + x + 5 to gates of addition and multiplication<\/p>\n Each gate has two inputs\u200a\u2014\u200aLeft<\/strong> and Right<\/strong>\u200a\u2014\u200aand one output<\/strong>. The output of one gate can fan out to become the input of many later gates. This shape\u200a\u2014\u200agates wired by their inputs and outputs\u200a\u2014\u200ais the foundation of everything that\u00a0follows.<\/p>\n Here\u2019s a practical fact that shapes how real ZK circuits are designed:<\/p>\n Operation Cost a + b free<\/strong> a \u2212 b free<\/strong> 5 \u00d7 a (times a constant) free<\/strong> a + 7 (plus a constant) free<\/strong> a \u00d7 b<\/strong> (between two secrets) 1 constraint<\/strong> a \u00d7 a<\/strong> (squaring) 1 constraint<\/strong><\/p>\n Only multiplications between two secret variables cost something (and thus a constraint)<\/strong>.<\/p>\n This is why ZK-friendly hash functions<\/strong> like Poseidon exist. A SHA-256 invocation takes roughly 27,000 multiplication constraints. Poseidon hashes the same amount of data in around 200 constraints\u200a\u2014\u200aover 100\u00d7 cheaper<\/strong>. When you hear \u201cthis circuit has 30,000 constraints,\u201d they always mean 30,000 multiplication gates.<\/p>\n Now here\u2019s the cleanest idea in the whole\u00a0system.<\/p>\n Every multiplication gate becomes one constraint<\/strong> with three\u00a0slots:<\/p>\n (Left input) \u00d7 (Right input) =\u00a0(Output)<\/em><\/strong><\/p>\n We call this R1CS\u200a\u2014\u200aRank-1 Constraint System<\/strong>. The \u201crank 1\u201d means each constraint is one linear thing times one linear thing equals one linear\u00a0thing.<\/p>\n This is the twist that makes R1CS powerful. Each slot doesn\u2019t have to be just one variable. It can be a sum of variables<\/strong>, each multiplied by some coefficient.<\/p>\n For example, a valid R1CS constraint could look\u00a0like:<\/p>\n (2x + 3y + 5) \u00d7 (z) = (out)<\/p>\n The left slot is a linear combo. The right slot is just z. The output is just out. Still one constraint.<\/p>\n Why allow this?<\/strong> Because additions are free. If your circuit needs to sum several numbers before multiplying, we pack those additions directly into the slot. No extra gates. No extra constraints.<\/p>\n Think of each slot as a little \u201cpre-processor\u201d that can take as many witness values as it wants, weight them, sum them up\u200a\u2014\u200aand hand the result to the multiplication.<\/p>\n To express these linear combinations, we put all the variables into one ordered list called the\u00a0witness<\/strong>.<\/p>\n For our\u00a0example:<\/p>\n w = (1, out, x, sym_1, sym_2)<\/p>\n By convention:<\/p>\n Position 0 is always 1 (the constant wire<\/strong>\u200a\u2014\u200athis lets us inject constants like 5 into linear combinations)Then the public variables (like\u00a0out)Then the private variables and intermediates (x, sym_1,\u00a0sym_2)<\/p>\n With x =\u00a03:<\/p>\n w = (1, 35, 3, 9, 27)<\/p>\n This is the complete witness. The prover knows all 5 values<\/strong>. The verifier knows only the public part<\/strong>: w[0] = 1 and w[1] = out =\u00a035.<\/p>\n Here\u2019s the shape in full\u00a0detail:<\/p>\n (a\u2080\u00b7w\u2080 + a\u2081\u00b7w\u2081 + a\u2082\u00b7w\u2082 + …) \u00d7 The coefficients (a\u2080, a\u2081,\u00a0…, b\u2080, b\u2081,\u00a0…, c\u2080, c\u2081,\u00a0…) are fixed at circuit design time<\/strong>. They’re part of the public description of the problem. The prover doesn’t choose\u00a0them.<\/p>\n What the prover does choose is the witness\u00a0w.<\/p>\n Think of each constraint as a stencil<\/strong>: three patterns that, when laid over the witness, extract three numbers. The constraint is \u201cthose three numbers must satisfy L \u00d7 R =\u00a0O.\u201d<\/p>\n How gate3 works in Left, Right, Output\u00a0system<\/p>\n Let\u2019s do all three gates of our example. This is where you should slow down and trace with pen and paper\u200a\u2014\u200athe pattern is simple once you see\u00a0it.<\/p>\n costly operators are blue, and free operators are\u00a0green<\/p>\n Gate 1:<\/strong> x \u00d7 x =\u00a0sym_1<\/p>\n Left slot picks <\/strong>x<\/strong>: a = (0, 0, 1, 0,\u00a00)Right slot picks <\/strong>x<\/strong>: b = (0, 0, 1, 0,\u00a00)Output slot picks <\/strong>sym_1<\/strong>: c = (0, 0, 0, 1,\u00a00)<\/p>\n Verify:<\/p>\n a \u00b7 w = 0 + 0 + 1\u00b73 + 0 + 0 =\u00a03<\/strong>b \u00b7 w =\u00a03<\/strong>c \u00b7 w = 0 + 0 + 0 + 1\u00b79 + 0 =\u00a09<\/strong>Check: 3 \u00d7 3 = 9\u00a0\u2713<\/p>\n Notice a and b are identical here. That’s how we encode squaring<\/strong>\u200a\u2014\u200aplug the same variable into both\u00a0ports.<\/p>\n Gate 2:<\/strong> sym_1 \u00d7 x =\u00a0sym_2<\/p>\n a = (0, 0, 0, 1, 0) \u2192 picks\u00a0sym_1b = (0, 0, 1, 0, 0) \u2192 picks\u00a0xc = (0, 0, 0, 0, 1) \u2192 picks\u00a0sym_2<\/p>\n Verify:<\/p>\n a \u00b7 w =\u00a09b \u00b7 w =\u00a03c \u00b7 w =\u00a027Check: 9 \u00d7 3 = 27\u00a0\u2713<\/p>\n Here the output of gate 1 (sym_1 = w[3] = 9) becomes the left input of gate 2. In R1CS this is just “select w[3] in the Left slot”\u200a\u2014\u200asimple.<\/p>\n Gate 3:<\/strong> (sym_2 + x + 5) \u00d7 1 =\u00a0out<\/p>\n How gate3 works in Left, Right, Output\u00a0system<\/p>\n This gate shows off linear combinations. The left side is three things added together.<\/p>\n Left slot<\/strong>: 5\u00b7w[0] + 1\u00b7w[2] + 1\u00b7w[4], so a = (5, 0, 1, 0,\u00a01)<\/strong>Right slot<\/strong>: just 1, so b = (1, 0, 0, 0,\u00a00)<\/strong>Output slot<\/strong>: just out, so c = (0, 1, 0, 0,\u00a00)<\/strong><\/p>\n Verify:<\/p>\n a \u00b7 w = 5\u00b71 + 1\u00b73 + 1\u00b727 = 35<\/strong> \u2190 the sum (sym_2 + x +\u00a05)b \u00b7 w =\u00a01c \u00b7 w =\u00a035Check: 35 \u00d7 1 = 35\u00a0\u2713<\/p>\n This gate uses three R1CS tricks at\u00a0once:<\/strong><\/p>\n Constant injection<\/strong> via w[0] = 1: the coefficient 5 on position 0 means “add the constant 5 to this\u00a0slot”Multi-wire linear combination<\/strong>: three variables (w[0], w[2], w[4]) contribute to one\u00a0slotMultiply by 1<\/strong>: since gate 3 is really just addition, we multiply by 1 to fit the L\u00b7R=O\u00a0shape<\/p>\n Here\u2019s what all three gates look like laid out together:<\/p>\n Now we collect all the a vectors into a matrix A, all the b vectors into B, all the c vectors into C. Each row is one\u00a0gate:<\/p>\n w\u2080 w\u2081 w\u2082 w\u2083 w\u2084 w\u2080 w\u2081 w\u2082 w\u2083 w\u2084 w\u2080 w\u2081 w\u2082 w\u2083 w\u2084 The R1CS condition is:<\/p>\n (A\u00b7w) \u2299 (B\u00b7w) =\u00a0C\u00b7w<\/em><\/strong><\/p>\n where \u2299 is componentwise multiplication. All three constraints collapsed into one matrix equation.<\/p>\n Let me\u00a0verify:<\/p>\n A\u00b7w = (3, 9,\u00a035)B\u00b7w = (3, 3,\u00a01)Componentwise product: (9, 27,\u00a035)C\u00b7w = (9, 27, 35)\u00a0\u2713<\/p>\n All three constraints hold. The witness is\u00a0valid.<\/p>\n Row-wise<\/strong>: Each row is one gate\u2019s stencil. This is how you check<\/em> a\u00a0witness.<\/p>\n Column-wise<\/strong>: Each column is one variable\u2019s \u201cparticipation pattern across gates.\u201d Column 2 (index 2 actually, column 3) of A says: \u201cvariable x shows up in the Left slot of gate 1 (coefficient 1), not in gate 2 (coefficient 0), and in gate 3 (coefficient 1).\u201d<\/p>\n This column view is the key conceptual shift for the next step. We\u2019re about to turn each column<\/strong> into a polynomial<\/strong>.<\/p>\n We now have 3 constraints (We are talking about each column of each matrix, A, B or C)<\/strong>. Checking 3 constraints is no problem. But real ZK circuits have millions<\/strong> of constraints. Checking them one by one isn\u2019t succinct\u200a\u2014\u200ait\u2019s not even\u00a0close.<\/p>\n We need to collapse all constraints into one equation<\/strong>.<\/p>\n The tool: polynomial interpolation<\/strong>.<\/p>\n Pick 3 distinct points\u200a\u2014\u200asay x = 1, 2, 3. Think of each point as \u201cthe index of one gate (constraint actually).\u201d<\/p>\n (Again we are talking about each column of each matrix, now matrix\u00a0A)<\/strong><\/p>\n For each witness variable j, we build a polynomial that encodes its participation in the L slot across all\u00a0gates:<\/p>\n u_j(1) = coefficient of w_j in gate 1\u2019s L slot Three points, one polynomial. Lagrange interpolation gives us a unique polynomial of degree \u2264 2 through any 3\u00a0points.<\/p>\n for example, we now Talking about matrix A and column with index 2 (third\u00a0column).<\/p>\n matrix Au_2(1) = 1 We do the same for the R slot (getting v_j polynomials) and the O slot (getting w_j polynomials\u200a\u2014\u200awarning, overloaded notation: <\/strong>w_j the polynomial is different from <\/strong>w[j] the witness\u00a0value)<\/strong>.<\/p>\n Let\u2019s build u_x(\u03bb) for our variable x (index 2 in the witness).<\/p>\n Looking at column 2 of matrix A, x appears with coefficients:<\/p>\n Gate 1 Left:\u00a01Gate 2 Left:\u00a00Gate 3 Left:\u00a01<\/p>\n So we want a polynomial u_x(\u03bb) (or it\u2019s better to write u_2(\u03bb) because \u201cx\u201d is index 2 of witness array)\u00a0with:<\/p>\n u_2(1) =\u00a01u_2(2) =\u00a00u_2(3) =\u00a01<\/p>\n Lagrange interpolation<\/strong> gives us a recipe. For 3 points (1, 2, 3), the basis polynomials are:<\/p>\n \u2113\u2081(\u03bb) = (\u03bb \u2212 2)(\u03bb \u2212 3) \/ 2 Each \u2113\u1d62 equals 1 at its own point and 0 at the other two.\u00a0So:<\/p>\n u_2(\u03bb) = 1\u00b7\u2113\u2081(\u03bb) + 0\u00b7\u2113\u2082(\u03bb) + 1\u00b7\u2113\u2083(\u03bb) Check:<\/p>\n u_2(1) = 1 \u2212 4 + 4 = 1\u00a0\u2713u_2(2) = 4 \u2212 8 + 4 = 0\u00a0\u2713u_2(3) = 9 \u2212 12 + 4 = 1\u00a0\u2713<\/p>\n This is the polynomial encoding \u201chow x (index 2 of witness) participates in the Left slot across our three\u00a0gates.”<\/p>\n We do this for every witness variable, for all three slot types (L, R, O). That gives us a whole library of polynomials. They\u2019re all computed from the circuit<\/strong>, once\u200a\u2014\u200anot per-witness.<\/p>\n Once we have all the per-variable polynomials, we build three big polynomials by summing them weighted by the\u00a0witness:<\/p>\n U(\u03bb) = sum over all j of (w[j] \u00b7 u_j(\u03bb)) \u2190 the combined Left The magic property:<\/p>\n U(i) = the Left slot value of gate i<\/em><\/strong> (Do not cofuse above \u201cW\u201d with\u00a0witness)<\/strong><\/p>\n (for i = 1, 2, 3\u200a\u2014\u200athe three gate\u00a0indices)<\/p>\n For our witness w = (1, 35, 3, 9, 27), a bit of arithmetic gives:<\/p>\n U(\u03bb) = 10\u03bb\u00b2 \u2212 24\u03bb +\u00a017V(\u03bb) = \u2212\u03bb\u00b2 + 3\u03bb +\u00a01W(\u03bb) = \u22125\u03bb\u00b2 + 33\u03bb \u2212\u00a019<\/p>\n This is where you can see the construction really works. Plug in \u03bb= 1, 2,\u00a03:<\/p>\n At <\/strong>\u03bb= 1 (gate\u00a01):<\/strong><\/p>\n U(1) = 10 \u2212 24 + 17 = 3<\/strong> (Left of gate 1 = x = 3\u00a0\u2713)V(1) = \u22121 + 3 + 1 = 3<\/strong> (Right of gate 1 = x = 3\u00a0\u2713)W(1) = \u22125 + 33 \u2212 19 = 9<\/strong> (Output of gate 1 = sym_1 = 9\u00a0\u2713)<\/p>\n At <\/strong>\u03bb= 2 (gate\u00a02):<\/strong><\/p>\n U(2) = 40 \u2212 48 + 17 = 9<\/strong> (Left of gate 2 = sym_1 = 9\u00a0\u2713)V(2) = \u22124 + 6 + 1 = 3<\/strong> (Right of gate 2 = x = 3\u00a0\u2713)W(2) = \u221220 + 66 \u2212 19 = 27<\/strong> (Output of gate 2 = sym_2 = 27\u00a0\u2713)<\/p>\n At <\/strong>\u03bb= 3 (gate\u00a03):<\/strong><\/p>\n U(3) = 90 \u2212 72 + 17 = 35<\/strong> (Left of gate 3 = sym_2 + x + 5 = 35\u00a0\u2713)V(3) = \u22129 + 9 + 1 = 1<\/strong> (Right of gate 3 = 1\u00a0\u2713)W(3) = \u221245 + 99 \u2212 19 = 35<\/strong> (Output of gate 3 = out = 35\u00a0\u2713)<\/p>\n The polynomials literally encode the gate computations. Every gate\u2019s constraint becomes:<\/p>\n U(i) \u00d7 V(i) \u2212 W(i) =\u00a00<\/em><\/p>\n Define the polynomial:<\/p>\n P(\u03bb) = U(\u03bb) \u00b7 V(\u03bb) \u2212 W(\u03bb)<\/p>\n From the checks\u00a0above:<\/p>\n P(1) = 3\u00b73 \u2212 9 =\u00a00<\/strong>P(2) = 9\u00b73 \u2212 27 =\u00a00<\/strong>P(3) = 35\u00b71 \u2212 35 =\u00a00<\/strong><\/p>\n P(\u03bb) vanishes at \u03bb= 1, 2, 3. Which means P(\u03bb) is divisible<\/strong> by:<\/p>\n t(\u03bb) = (\u03bb \u2212 1)(\u03bb \u2212 2)(\u03bb \u2212 3)<\/p>\n t(\u03bb) is called the target polynomial<\/strong>. It’s a public property of the circuit\u200a\u2014\u200aonce the circuit is fixed, t(\u03bb) is fixed\u00a0too.<\/p>\n And the quotient:<\/p>\n h(\u03bb) = P(\u03bb) \/ t(\u03bb)<\/p>\n is a clean polynomial with no remainder\u200a\u2014\u200abut only if all constraints are satisfied.<\/strong><\/p>\n If even one constraint fails, P(\u03bb) won\u2019t vanish at the corresponding gate index, and t(\u03bb) won\u2019t divide P(\u03bb)\u00a0cleanly.<\/p>\n So the entire R1CS collapses into this one equation:<\/p>\n U(<\/em><\/strong>\u03bb) \u00b7 V(<\/em><\/strong>\u03bb) \u2212 W(<\/em><\/strong>\u03bb) = h(<\/em><\/strong>\u03bb) \u00b7\u00a0t(<\/em><\/strong>\u03bb)<\/em><\/strong><\/p>\n This is a QAP\u200a\u2014\u200aQuadratic Arithmetic Program<\/strong>. One equation. Any number of\u00a0gates.<\/p>\n Let me show you that this is a real polynomial identity, not a coincidence at the three gate\u00a0points.<\/p>\n At \u03bb=\u00a05:<\/p>\n U(5) = 250 \u2212 120 + 17 =\u00a0147V(5) = \u221225 + 15 + 1 =\u00a0\u22129W(5) = \u2212125 + 165 \u2212 19 =\u00a021P(5) = 147\u00b7(\u22129) \u2212 21 = \u22121323 \u2212 21 =\u00a0\u22121344<\/strong><\/p>\n Now t(5) = 4\u00b73\u00b72 = 24<\/strong>. And you can compute h(\u03bb) = \u221210\u03bb \u2212 6 (it\u2019s linear because h has degree 4 \u2212 3 = 1), so h(5) =\u00a0\u221256.<\/p>\n h(5) \u00b7 t(5) = \u221256 \u00b7 24 = \u22121344<\/strong>\u00a0\u2713<\/p>\n Match. The identity holds everywhere\u200a\u2014\u200anot just at the gate points\u200a\u2014\u200abecause it\u2019s a real polynomial equation.<\/p>\n We\u2019ve moved from \u201ccheck 3 constraints\u201d<\/strong> to \u201ccheck whether one polynomial divides another.\u201d<\/strong><\/p>\n For a 30-million-gate circuit, this is a massive win: instead of 30 million separate checks, we have one polynomial identity that captures all of\u00a0them.<\/p>\n But we still have one problem: how do we check this identity without revealing the\u00a0witness<\/strong>?<\/p>\n That\u2019s the last piece\u200a\u2014\u200aelliptic curves and pairings.<\/p>\n We now need a way for the prover to commit to values like U(\u03c4), V(\u03c4), W(\u03c4), h(\u03c4), and let the verifier check the polynomial identity\u200a\u2014\u200awithout anyone ever learning what these values\u00a0are.<\/p>\n This is where elliptic curves come\u00a0in.<\/p>\nThe Example We\u2019ll Carry Through the Whole\u00a0Post<\/h3>\n
Step 1: Turning Computation Into\u00a0Gates<\/h3>\n
The Flattening Rule<\/h3>\n
Why This Restriction?<\/h3>\n
Flattening Our\u00a0Example<\/h3>\n
sym_2 = sym_1 * x \u2190 computes x\u00b3
out = (sym_2 + x + 5) * 1 \u2190 the final sum<\/p>\nThe Circuit\u00a0View<\/h3>\n
Free vs. Expensive Operations<\/h3>\n
Step 2: Constraints With Three Slots (L \u00b7 R =\u00a0O)<\/h3>\n
Each Slot Is a Linear Combination<\/h3>\n
The Witness\u00a0Vector<\/h3>\n
Anatomy of One Constraint<\/h3>\n
(b\u2080\u00b7w\u2080 + b\u2081\u00b7w\u2081 + b\u2082\u00b7w\u2082 + …) =
(c\u2080\u00b7w\u2080 + c\u2081\u00b7w\u2081 + c\u2082\u00b7w\u2082 + …)<\/p>\nWriting Each Gate as a Constraint<\/h3>\n
Stacking Into\u00a0Matrices<\/h3>\n
\u250c \u2510 \u250c \u2510 \u250c \u2510
A = \u2502 0 0 1 0 0\u2502 B = \u2502 0 0 1 0 0\u2502 C = \u2502 0 0 0 1 0\u2502
\u2502 0 0 0 1 0\u2502 \u2502 0 0 1 0 0\u2502 \u2502 0 0 0 0 1\u2502
\u2502 5 0 1 0 1\u2502 \u2502 1 0 0 0 0\u2502 \u2502 0 1 0 0 0\u2502
\u2514 \u2518 \u2514 \u2518 \u2514 \u2518<\/p>\nTwo Ways to Read These\u00a0Matrices<\/h3>\n
Step 3: One Polynomial to Rule Them\u00a0All<\/h3>\n
The Core\u00a0Idea<\/h3>\n
u_j(2) = coefficient of w_j in gate 2\u2019s L slot
u_j(3) = coefficient of w_j in gate 3\u2019s L\u00a0slot<\/em><\/p>\n
u_2(2) = 0
u_2(3) =\u00a01<\/em><\/p>\nBuilding a Polynomial from Scratch\u200a\u2014\u200aWorked\u00a0Example<\/h3>\n
\u2113\u2082(\u03bb) = \u2212(\u03bb \u2212 1)(\u03bb \u2212 3)
\u2113\u2083(\u03bb) = (\u03bb \u2212 1)(\u03bb \u2212 2) \/ 2<\/p>\n
= (\u03bb\u22122)(\u03bb\u22123)\/2 + (\u03bb\u22121)(\u03bb\u22122)\/2
= (\u03bb\u22122)\u00b7[(\u03bb\u22123) + (\u03bb\u22121)] \/ 2
= (\u03bb\u22122)(2\u03bb\u22124)\/2
= (\u03bb\u22122)\u00b2
= \u03bb\u00b2 \u2212 4\u03bb + 4u_2(\u03bb) = \u03bb\u00b2 -4\u03bb +\u00a04<\/p>\nThe Combined Polynomials<\/h3>\n
V(\u03bb) = sum over all j of (w[j] \u00b7 v_j(\u03bb)) \u2190 the combined Right
W(\u03bb) = sum over all j of (w[j] \u00b7 w_j(\u03bb)) \u2190 the combined Output<\/p>\n
<\/em>V(i) = the Right slot value of gate i<\/em><\/strong>
<\/em>W(i) = the Output slot value of gate\u00a0i<\/em><\/strong><\/p>\nVerify U, V, W at Every Gate\u00a0Index<\/h3>\n
The Key\u00a0Identity<\/h3>\n
The QAP: One Equation for Everything<\/h3>\n
A Sanity Check at a Random\u00a0Point<\/h3>\n
Why This\u00a0Matters<\/h3>\n
Step 4: Elliptic Curve Pairings\u200a\u2014\u200aChecking Without\u00a0Seeing<\/h3>\n
The Basic Tool: Scalar Multiplication on a\u00a0Curve<\/h3>\n