原文出自：https://blog.z.cash/snark-explain2/
作者：Ariel Gabizon
译者：Matter实验室

In this post, we recall the notion of a polynomial, and explain the notion of “blind evaluation” of a polynomial, and how it is implemented using Homomorphic Hiding (HH). (See Part I for an explanation of HH. ) In future posts, we will see that blind evaluation is a central tool in SNARK constructions.

在这篇文章中，我们将回顾多项式的概念，解释多项式“盲估”的概念，以及如何使用同态隐藏 (HH) 来实现这一方案。(请看 第一部分 对于 HH 的解释)。 在未来的文章中，我们将会认识到盲估是构建 SNARK 的核心工具。

We denote by Fp the field of size p; that is, the elements of Fp are {0,…,p−1} and addition and multiplication are done mod p as explained in Part I.

我们使用 Fp 来表示 p 的域的大小；也就是说，跟第一部分说明的一样，Fp 中的元素是 {0,...,p-1} ，并且加法和乘法都会执行 mod p。

POLYNOMIALS AND LINEAR COMBINATIONS

多项式和线性组合

Recall that a polynomial P of degree d over Fp is an expression of the form

P(X)=a0+a1⋅( X )+a2⋅( X^2 ) +…+ ad⋅( X^d )

, for some a0,…,ad ∈ Fp.

回忆一下具有 在 Fp 上的 d 阶多项式，是一个下面这种形式的表达式：

P(X)=a0+a1⋅( X )+a2⋅( X^2 ) +…+ ad⋅( X^d )

其中 a0,…,ad ∈ Fp

We can evaluate P at a point s ∈ Fp by substituting s for X, and computing the resultant sum

P(s)=a0+a1⋅( s )+a2⋅( s^2 )+…+ad⋅( s^d)

For someone that knows P, the value P(s) is a linear combination of the values 1,(s),…,(s^d) – where linear combination just means “weighted sum”, in the case of P(s) the “weights” are a0,…,ad.

我们可以这样在 s ∈ Fp 点上计算 P，让 s 代替 X，并计算总和。

P(s)=a0+a1⋅( s )+a2⋅( s^2 )+…+ad⋅( s^d)

根据大家所了解的 P，P(s) 的值是 1,(s),…,(s^d) 值的一个线性组合。—— 线性组合仅意味着“加权和”，在 P(s) 一例中权重就是 a0,…,ad。

In the last post, we saw the HH E defined by E(x)=g^x where g was a generator of a group with a hard discrete log problem. We mentioned that this HH “supports addition” in the sense that E(x+y) can be computed from E(x) and E(y). We note here that it also “supports linear combinations”; meaning that, given a,b,E(x),E(y), we can compute E(ax+by). This is simply because

E(ax+by)=g^( ax+by )=g^( ax )⋅g^( by )=( ( g^x )^a )⋅( ( g^y )^b )=( E(x)^a )⋅( E(y)^b ).

在上一篇文章中，我们看到了用 E(x)=g^x 定义的带HH性质的 E，其中 g 是一个采用难离散对数问题的群生成器。我们提到，这种HH“加法支持”，能用E(x)和E(y)计算出E(x+y)。 我们在这儿指出，HH一样能“支持线性组合”；这意味着，给定 a,b,E(x),E(y) ，我们能计算出 E(ax+by)。原理很简单，因为：

E(ax+by)=g^( ax+by )=g^( ax )⋅g^( by )=( ( g^x )^a )⋅( ( g^y )^b )=( E(x)^a )⋅( E(y)^b )

BLIND EVALUATION OF A POLYNOMIAL

某个多项式的盲估

Suppose Alice has a polynomial P of degree d, and Bob has a point s ∈ Fp that he chose randomly. Bob wishes to learn E(P(s)), i.e., the HH of the evaluation of P at s. Two simple ways to do this are:

• Alice sends P to Bob, and he computes E(P(s)) by himself.
• Bob sends s to Alice; she computes E(P(s)) and sends it to Bob.

假设 Alice 有 d 阶多项式 P， 并且 Bob 可以随机地选择一个点 s∈Fp ， Bob 期望知道 E(P(s))，这就是于 s 点对 P 进行评估的同态隐藏(HH)，做到这点有两种简单的方式：

• Alice 发送 P 给 Bob，从而 Bob 可以自行计算 E(P(s))。
• Bob 发送 s 给 Alice；Alice计算 E(P(s)) 并发送给 Bob。

However, in the blind evaluation problem we want Bob to learn E(P(s)) without learning P – which precludes the first option; and, most importantly, we don’t want Alice to learn s, which rules out the second [1].

[1] The main reason we don’t want to send P to Bob, is simply that it is large – (d+1) elements, where, for example, d~2000000 in the current Zcash protocol; this ultimately has to do with the “Succinct” part of SNARKs. It is true that the sequence of hidings Bob is sending to Alice above is just as long, but it will turn out this sequence can be “hard-coded” in the parameters of the system, whereas Alice’s message will be different for each SNARK proof.

然而，在盲估问题中，我们希望 Bob 在不了解 P 的情况下了解 E(P(s)) – 这将排除第一种选择； 更重要的是，我们不希望 Alice 了解 s ，这将排除第二种选择 [1]。

• • [1] 我们不想将 P 发送给 Bob 的主要原因是，仅仅是因为它太大了——(d+1)个元素，比如，现有的Zcash协议中 d 的值将近2百万；它最终会与“简洁的” SNARKs 协同工作。事实上，上面Bob发送给Alice的匿数序列也一样长，但是这个序列能够作为系统的参数硬编码到系统中，而每次SNARK证明时Alice的消息都不相同。

Using HH, we can perform blind evaluation as follows.

• Bob sends to Alice the hidings E(1),E(s),…,E(s^d).

• Alice computes E(P(s)) from the elements sent in the first step, and sends E(P(s)) to Bob. (Alice can do this since E supports linear combinations, and P(s) is a linear combination of 1,s,…,sd.)

Note that, as only hidings were sent, neither Alice learned s [2], nor Bob learned P.

[2] Actually, the hiding property only guarantees s not being recoverable from E(s), but here we want to claim it is also not recoverable from the sequence E(s),…,E(s^d) that potentially contains more information about s. This follows from the d-power Diffie-Hellman assumption, which is needed in several SNARK security proofs.

使用HH，我们可以像下面一样进行盲估。

• Bob发送匿数 E(1),E(s),…,E(s^d) 给Alice。
• Alice根据送达的匿数计算 E(P(s)) ，并且发送 E(P(s)) 给Bob。(Alice能够利用E对线性组合的支持进行计算，并且 P(s) 就是 1,s,...,s^d 的线性组合。)

可以注意到，因为只有匿数被发送，Alice不会了解 s[2],Bob也不会了解 P.

• • [2] 事实上，隐藏特性仅仅保证了 s 不能由 E(s) 反推得到，但在这里，我们想强调它同样不可能由序列 E(s),…,E(s^d) 反推得到，虽然这个序列包涵了很多 s 的信息。这样的判断缘于 Diffie-Hellman 假设，这个假设论证了 SNARK 的安全性。

WHY IS THIS USEFUL?

为什么这是一个有用的方法

Subsequent posts will go into more detail as to how blind evaluation is used in SNARKs. The rough intuition is that the verifier has a “correct” polynomial in mind, and wishes to check the prover knows it. Making the prover blindly evaluate their polynomial at a random point not known to them, ensures the prover will give the wrong answer with high probability if their polynomial is not the correct one. This, in turn, relies on the Schwartz-Zippel Lemma stating that “different polynomials are different at most points”.

在后面的文章中，我们将详细讨论盲估技术如何被应用于 SNARKs。 大致的解释是，验证器在内部有一个 “正确的”多项式，它需要检查是否证明方知道这件事。这将使得证明方可以在一个他们不知道的随机的点上验证他们是否知道这个多项式，并保证证明方的多项式如果不正确，他有更高的几率得到一个报错。这种做法依赖于Schwartz-Zippel引理说明，即“不同多项式在大多数点是相同的”。

译者总结

数学关系

交互模型