## Kate承诺证明爱因斯坦推理题的答案（一）

回顾在第一部分已经将原15个约束+答案转化成一个通过已知16个点的多项式，我们知道16个点可以确定一个15阶的多项式，大家也可以去找一些电路描述定义的语言或者工具以及编译器例如circom，可以直接编译成电路。本系列主要是完整的展示zksnark的核心原理kate承诺，因此先用拉格朗日插值法得到多项式的系数，然后再将此多项式转化为R1CS、QAP，然后实现Kate承诺，读者可以对照V神的科普文章加深理解。跟zkstark里在有限域上操作类似，这里也是在有限域上的操作。<br>
首先我们把之前得到的16个点再列出来：
$$ f \begin{bmatrix}
121 \\
105 \\
136 \\
11 \\
120 \\
16 \\
55 \\
125 \\
86 \\
141 \\
20 \\
59 \\
50 \\
34 \\
137 \\
53 \\
\end{bmatrix} =  \begin{bmatrix}
121 \\
105 \\
136 \\
11 \\
120 \\
16 \\
55 \\
125 \\
86 \\
36 \\
129 \\
59 \\
50 \\
118 \\
1 \\
8 \\
\end{bmatrix} $$

跟zkstark不同的是，我们在这里要选择一个有限域椭圆曲线，为了应用zksnark，这里必须选一个对配对友好的椭圆曲线，目前公认的最优选择是在zcash中首次应用的BLS12-381，本文参考一个bls12-381的python实现，其代码链接为：https://github.com/pablo-vs/BLS

In [124]:
from curve import (
    curve_order,
    G1,
    G2,
    pairing,
)
from curve.encoding import (
    encodePubKey,
    decodePubKey,
    encodePrivKey,
    decodePrivKey,
    encodeSignature,
    decodeSignature,
    ENDIANNESS
)
from curve.curve_fields import (
    FQ,
    FQ2,
    FQ12
)
from curve.fields import (
    polynomial_division
)

import random
from hashlib import sha256
import operator
from functools import reduce
try:
    from tqdm import tqdm
except ModuleNotFoundError:
    # tqdm is a wrapper for iterators implementing a progress bar. If it's
    # not available, simply return the iterator itself.
    tqdm = lambda x: x

def prod(values):
    """
    Computes a product.
    """
    len_values = len(values)
    if len_values == 0:
        return 1
    if len_values == 1:
        return values[0]
    return prod(values[:len_values // 2]) * prod(values[len_values // 2:])

#print(prod(monomials))

def calculate_lagrange_polynomials(x_values):
    """
    Given the x_values for evaluating some polynomials, it computes part of the lagrange polynomials
    required to interpolate a polynomial over this domain.
    """
    lagrange_polynomials = []
    monomials = [type(f"Polynomial", (Polynomial,), {'coef_type': FQ, 'var': "x"})(0, 1) -
        type(f"Polynomial", (Polynomial,), {'coef_type': FQ, 'var': "x"})(x) for x in x_values]
    numerator = prod(monomials)
    for j in tqdm(range(len(x_values))):
        # In the denominator, we have:
        # (x_j-x_0)(x_j-x_1)...(x_j-x_{j-1})(x_j-x_{j+1})...(x_j-x_{len(X)-1})
        denominator = prod([x_values[j] - x for i, x in enumerate(x_values) if i != j])
        # Numerator is a bit more complicated, since we need to compute a poly multiplication here.
        # Similarly to the denominator, we have:
        # (x-x_0)(x-x_1)...(x-x_{j-1})(x-x_{j+1})...(x-x_{len(X)-1})
        cur_poly, _ = polynomial_division(numerator, monomials[j]*denominator)
        lagrange_polynomials.append(cur_poly)
    return lagrange_polynomials


def interpolate_poly_lagrange(y_values, lagrange_polynomials):
    """
    :param y_values: y coordinates of the points.
    :param lagrange_polynomials: the polynomials obtained from calculate_lagrange_polynomials.
    :return: the interpolated poly/
    """
    poly = type(f"Polynomial", (Polynomial,), {'coef_type': FQ, 'var': "x"})(0)
    for j, y_value in enumerate(y_values):
        poly += lagrange_polynomials[j] * y_value
    return poly


def interpolate_poly(x_values, y_values):
    """
    Returns a polynomial of degree < len(x_values) that evaluates to y_values[i] on x_values[i] for
    all i.
    """
    assert len(x_values) == len(y_values)
    lp = calculate_lagrange_polynomials(x_values)
    return interpolate_poly_lagrange(y_values, lp)

def evaluate(self, x):
    eval = 0
    for i,v in self.items():
        eval += v * (x**i)
    return eval

Polynomial.evaluate = evaluate

x=[121,105,136,11,120,16,55,125,86,141,20,59,50,34,137,53]
y=[121,105,136,11,120,16,55,125,86,36,129,59,50,118,1,8]
p = interpolate_poly(x, y)
print(p)
#for u in x :
#    print (p.evaluate(u))
#print(p(i) for i in x)

3817694907361181104991626158275094153742166940911801388034015897041780499323579573727559242718682971477959929850773x¹⁵ + 357654743141738642176066612790691193269150165112755610505956972928603541439312850326392002710486022255091894678712x¹⁴ + 1748330844801190889185763474088696148979490009944318844564770109293933209290532858213683971732030551105824751167513x¹³ + 196933201667064661433639248630684287952242006323117892964688012779451432655409373409784736343256844651064210457505x¹² + 460056503505719061640187069656655107509258853823138826015538472812668545229923793642687725410366379332886997173254x¹¹ + 722224230484063864505873497380933273840255198451842865585123648071158443504949490118911089374976747863909782718187x¹⁰ + 2231547347255723043330391163329206297839961975047452073520408614717260823997266059908770358191931166201506739150289x⁹ + 678636341878429990344102673787871821631834761307040030859561067634550266867900388792237818859411349346739983661444x⁸ + 395248743937026583707191553641223660755

写了一个有限域上的拉格朗日插值，得到了一个15阶的插值函数，如果直接用scipy的插值得到另外一个结果，大家可以对比一下。

In [126]:
import numpy as np
from scipy.interpolate import lagrange

x=[121,105,136,11,120,16,55,125,86,141,20,59,50,34,137,53]
y=[121,105,136,11,120,16,55,125,86,36,129,59,50,118,1,8]
p = lagrange(x, y)
x2 = np.linspace(0,128)
print(p)


            15             14             13             12
-2.989e-21 x  + 3.694e-18 x  - 2.078e-15 x  + 7.042e-13 x 
              11             10             9             8           7
 - 1.604e-10 x  + 2.595e-08 x  - 3.071e-06 x + 0.0002697 x - 0.01766 x
           6         5         4            3             2
 + 0.8585 x - 30.58 x + 779.7 x - 1.37e+04 x + 1.556e+05 x - 1.017e+06 x + 2.87e+06


上面的拉格朗日插值可以得到一个15阶多项式$f(x)$，然后把原问题转化为$f(x)=8$有解53，即 $$ f(x) = \sum_{i=0}^{15} a_ix^{i} = 8 $$
其中$a_i$都是已知数。不同于zkstark的FRI机制要将这16个点确定的15阶多项式扩张为255阶，在zksnark里只需要对15阶多项式进行prove和verify的操作。<br>

