In [38]:
import galois
import numpy as np

### R1CS

In [39]:
p = 71
FP = galois.GF(p)

Witness vector:

$s = \left\langle s_i \right\rangle_{[m]}\\$

$ \color{Green}L \color{defaultcolor}= \begin{bmatrix}
& \color{Cyan} s_0 & \color{Cyan} s_1 & \cdots  & \color{Cyan} s_{m-1} \\
\color{Cyan} (1) & l_{0,0} & l_{0, 1} & \cdots & l_{0, m-1} \\
\color{Cyan} (2) & l_{1,0} & l_{1, 1} & \cdots & l_{1, m-1} \\
\color{Cyan} \vdots & & & \ddots & \\
\color{Cyan} (d) & l_{d-1,0} & l_{0, 1} & \cdots & l_{d-1, m-1} \\
\end{bmatrix} \\$

$ \color{Yellow}R \color{defaultcolor}= \begin{bmatrix}
& \color{Cyan} s_0 & \color{Cyan} s_1 & \cdots  & \color{Cyan} s_{m-1} \\
\color{Cyan} (1) & r_{0,0} & r_{0, 1} & \cdots & r_{0, m-1} \\
\color{Cyan} (2) & r_{1,0} & r_{1, 1} & \cdots & r_{1, m-1} \\
\color{Cyan} \vdots & & & \ddots & \\
\color{Cyan} (d) & r_{d-1,0} & r_{0, 1} & \cdots & r_{d-1, m-1} \\
\end{bmatrix} \\$

$ \color{Red}O \color{defaultcolor}= \begin{bmatrix}
& \color{Cyan} s_0 & \color{Cyan} s_1 & \cdots  & \color{Cyan} s_{m-1} \\
\color{Cyan} (1) & o_{0,0} & o_{0, 1} & \cdots & o_{0, m-1} \\
\color{Cyan} (2) & o_{1,0} & o_{1, 1} & \cdots & o_{1, m-1} \\
\color{Cyan} \vdots & & & \ddots & \\
\color{Cyan} (d) & o_{d-1,0} & o_{0, 1} & \cdots & o_{d-1, m-1} \\
\end{bmatrix} \\$

Matrices serve as encodings for triggers or switches, activating computations for specific variables.

Example:

Original equation:

$ 5x^{3} - 4x^{2}y^{2} + 13xy^{2} + x^{2} -10y = out $

Constraints:

$\left\{ \begin{array}{cl}
\color{Red}v_1 \color{defaultcolor} = \color{Green} x \color{Yellow}x & \color{Cyan}(1)\\
\color{Red}v_2 \color{defaultcolor} = \color{Green} y \color{Yellow}y & \color{Cyan}(2)\\
\color{Red}v_3 \color{defaultcolor} = \color{Green} 5x \color{Yellow}v_1 & \color{Cyan}(3)\\
\color{Red}v_4 \color{defaultcolor} = \color{Green} 4v_1 \color{Yellow}v_2 & \color{Cyan}(4)\\
\color{Red} out -v_3 + v_4 - v_1 + 10y \color{defaultcolor} = \color{Green}13x \color{Yellow}v_2 & \color{Cyan}(5)
\end{array} \right.\\$

$ s = \begin{bmatrix}
\color{Cyan} 1 & \color{Cyan} out & \color{Cyan} x & \color{Cyan} y & \color{Cyan} v_1 & \color{Cyan} v_2 & \color{Cyan} v_3 & \color{Cyan} v_4 \\
1 & 33 & 2 & 3 & 4 & 9 & 40 & 2
\end{bmatrix} \\ $

$ \color{Green}L \color{defaultcolor}= \begin{bmatrix}
& \color{Cyan} 1 & \color{Cyan} out & \color{Cyan} x & \color{Cyan} y & \color{Cyan} v_1 & \color{Cyan} v_2 & \color{Cyan} v_3 & \color{Cyan} v_4 \\
\color{Cyan} (1) & 0 & 0 & 1 & 0 & 0 & 0 & 0 & 0 \\
\color{Cyan} (2) & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 0 \\
\color{Cyan} (3) & 0 & 0 & 5 & 0 & 0 & 0 & 0 & 0 \\
\color{Cyan} (4) & 0 & 0 & 0 & 0 & 4 & 0 & 0 & 0 \\
\color{Cyan} (5) & 0 & 0 & 13 & 0 & 0 & 0 & 0 & 0 \\
\end{bmatrix} \\ $

$ \color{Yellow}R \color{defaultcolor}= \begin{bmatrix}
& \color{Cyan} 1 & \color{Cyan} out & \color{Cyan} x & \color{Cyan} y & \color{Cyan} v_1 & \color{Cyan} v_2 & \color{Cyan} v_3 & \color{Cyan} v_4 \\
\color{Cyan} (1) & 0 & 0 & 1 & 0 & 0 & 0 & 0 & 0 \\
\color{Cyan} (2) & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 0 \\
\color{Cyan} (3) & 0 & 0 & 0 & 0 & 1 & 0 & 0 & 0 \\
\color{Cyan} (4) & 0 & 0 & 0 & 0 & 0 & 1 & 0 & 0 \\
\color{Cyan} (5) & 0 & 0 & 0 & 0 & 0 & 1 & 0 & 0 \\
\end{bmatrix} \\ $

$ \color{Red}O \color{defaultcolor} = \begin{bmatrix}
& \color{Cyan} 1 & \color{Cyan} out & \color{Cyan} x & \color{Cyan} y & \color{Cyan} v_1 & \color{Cyan} v_2 & \color{Cyan} v_3 & \color{Cyan} v_4 \\
\color{Cyan} (1) & 0 & 0 & 0 & 0 & 1 & 0 & 0 & 0 \\
\color{Cyan} (2) & 0 & 0 & 0 & 0 & 0 & 1 & 0 & 0 \\
\color{Cyan} (3) & 0 & 0 & 0 & 0 & 0 & 0 & 1 & 0 \\
\color{Cyan} (4) & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 1 \\
\color{Cyan} (5) & 0 & 1 & 0 & 10 & -1 & 0 & -1 & 1 \\
\end{bmatrix} \\ $

In [54]:
# inputs
x = FP(2)
y = FP(3)

# witnesses
v1 = x * x # (1)
v2 = y * y # (2)
v3 = 5 * x * v1 # (3)
v4 = 4 * v1 * v2 # (4)
out = 13 * x * v2 - 10 * y + v1 + v3 - v4 # (5)

# check if computed output is correct
assert out == 5 * x**3 - 4 * x**2 * y**2 + 13 * x * y**2 + x**2 - 10 * y

# witness vector
s = FP([1, out, x, y, v1, v2, v3, v4])

print(s)

L = FP([
    # 1, out, x, y, v1, v2, v3, v4
    [0, 0,  1, 0, 0, 0, 0, 0], # x
    [0, 0,  0, 1, 0, 0, 0, 0], # y
    [0, 0,  5, 0, 0, 0, 0, 0], # 5x
    [0, 0,  0, 0, 4, 0, 0, 0], # 4v1
    [0, 0, 13, 0, 0, 0, 0, 0], # 13x
])

R = FP([
    [0, 0, 1, 0, 0, 0, 0, 0], # x
    [0, 0, 0, 1, 0, 0, 0, 0], # y
    [0, 0, 0, 0, 1, 0, 0, 0], # v1
    [0, 0, 0, 0, 0, 1, 0, 0], # v2
    [0, 0, 0, 0, 0, 1, 0, 0], # v2
])

O = FP([
    [0, 0, 0,  0,   1, 0,   0, 0], # v1
    [0, 0, 0,  0,   0, 1,   0, 0], # v2
    [0, 0, 0,  0,   0, 0,   1, 0], # v3
    [0, 0, 0,  0,   0, 0,   0, 1], # v4
    [0, 1, 0, 10, p-1, 0, p-1, 1], # out + 10y - v1 - v3 + v4
])

[ 1 33  2  3  4  9 40  2]


In [44]:
# num witnesses
m = O.shape[1]
# num constraints
d = O.shape[0]

print(f"m: {m}, d: {d}")

m: 8, d: 5


We use matrices $L, R, O$ as encoded switchers, activators and apply it to the witness vector. As the output we have 1D vector of size $d$ (num of constraints) for every matrix that accumulates all witnesses for every constraint and satisfies:

$L_s = \left\langle \sum_{i=0}^{m-1}L_{k, i} * s_i \right\rangle_{k\in\{0..d-1\}} \\$

$R_s = \left\langle \sum_{i=0}^{m-1}R_{k, i} * s_i \right\rangle_{k\in\{0..d-1\}}\\$

$O_s = \left\langle \sum_{i=0}^{m-1}O_{k, i} * s_i \right\rangle_{k\in\{0..d-1\}} \\$

$L_s * R_s = O_s $ must hold

$\begin{bmatrix}
L_{s_0} \\
L_{s_1} \\
\vdots  \\
L_{s_k} \\
\end{bmatrix} * 
\begin{bmatrix}
R_{s_0} \\
R_{s_1} \\
\vdots  \\
R_{s_k} \\
\end{bmatrix} = 
\begin{bmatrix}
O_{s_0} \\
O_{s_1} \\
\vdots  \\
O_{s_k} \\
\end{bmatrix} \\$

Example:

$\begin{bmatrix}
2 \\
3 \\
10 \\
16 \\
26 \\ 
\end{bmatrix} * 
\begin{bmatrix}
2 \\
3 \\
4 \\
9 \\
9 \\ 
\end{bmatrix} = 
\begin{bmatrix}
4 \\
9 \\
40 \\
2 \\
21 \\ 
\end{bmatrix}
$

In [46]:
Ls = np.dot(L, s)
Rs = np.dot(R, s)
Os = np.dot(O, s)

print(Ls)
print(Rs)
print(Ls * Rs)
print(Os)

assert(np.all(Ls * Rs == Os))

[ 2  3 10 16 26]
[2 3 4 9 9]
[ 4  9 40  2 21]
[ 4  9 40  2 21]


### R1CS to QAP

The goal is to transform R1CS matrices L, R, O into QAP format. We need polynomials $L_p(x)$, $R_p(x)$, $O_p(x)$ for every witness such that it evaluates to the corresponding values of the original matrices at x = 1..d, where d is the number of constraints (or rows in the matrices)

$L = \begin{bmatrix}
& \color{Cyan}s_0 & \color{Cyan}s_1 & \cdots & \color{Cyan}s_{m-1} \\
\color{Cyan}(1) & l_{0,0} & l_{0,1} & \cdots & l_{0, m-1} \\
\color{Cyan}(2) & l_{1,0} & l_{1,1} & \cdots & l_{1, m-1} \\
\color{Cyan}\vdots & & & \ddots & \\
\color{Cyan}(d) & l_{d-1,0} & l_{d-1,1} & \cdots & l_{d-1, m-1} \\
\end{bmatrix} \\$

$L_p = \begin{bmatrix}
& \color{Cyan}x^0 & \color{Cyan}x^1 & \cdots & \color{Cyan}x^{d-1} \\
\color{Cyan}s_0 & l_{p_{0, 0}} & l_{p_{0, 1}} & \cdots & l_{p_{0, d-1}} \\
\color{Cyan}s_1 & l_{p_{1, 0}} & l_{p_{1, 1}} & \cdots & l_{p_{1, d-1}} \\
\color{Cyan}\vdots  &  &  & \ddots &  \\
\color{Cyan}s_{m-1} & l_{p_{m-1, 0}} & l_{p_{m-1, 1}} & \cdots & l_{p_{m-1, d-1}} &
\end{bmatrix} \\$

$\left\langle L_p(x) \right\rangle = \begin{bmatrix}
l_{p_{0,0}}x^0 + l_{p_{0, 1}}x^1 + ... + l_{p_{0, d-1}}x^{d-1} \\
l_{p_{1,0}}x^0 + l_{p_{1, 1}}x^1 + ... + l_{p_{1, d-1}}x^{d-1} \\
\vdots \\
l_{p_{m-1,0}}x^0 + l_{p_{m-1, 1}}x^1 + ... + l_{p_{m-1, d-1}}x^{d-1} \\
\end{bmatrix}_{m\text{x}1} \\$

$L_p(x) \to L^T: \begin{bmatrix}
& \color{Cyan}L_p(1) & \color{Cyan}L_p(2) & \color{Cyan}\cdots & \color{Cyan}L_p(d) \\
\color{Cyan}s_0 & l_{0, 0} & l_{1, 0} & \cdots & l_{d-1, 0} \\
\color{Cyan}s_1 & l_{0, 1} & l_{1, 1} & \cdots & l_{d-1, 1} \\
\color{Cyan}\vdots & & & \ddots  & \\
\color{Cyan}s_{m-1} & l_{0, m-1} & l_{1, m-1} & \cdots & l_{d-1, m-1} \\
\end{bmatrix}$

Example:

$ L = \begin{bmatrix}
& \color{Cyan}1 & \color{Cyan}out & \color{Cyan}x & \color{Cyan}y & \color{Cyan}v_1 & \color{Cyan}v_2 & \color{Cyan}v_3 & \color{Cyan}v_4 \\
\color{Cyan}(1) & 0 & 0 & 1 & 0 & 0 & 0 & 0 & 0 \\
\color{Cyan}(2) & 0 & 0 & 0 & 1 & 0 & 0 & 0 & 0 \\
\color{Cyan}(3) & 0 & 0 & 5 & 0 & 0 & 0 & 0 & 0 \\
\color{Cyan}(4) & 0 & 0 & 0 & 0 & 4 & 0 & 0 & 0 \\
\color{Cyan}(5) & 0 & 0 & 13 & 0 & 0 & 0 & 0 & 0 \\
\end{bmatrix} $

$ L_p = \begin{bmatrix}
& \color{Cyan}x^0 & \color{Cyan}x^1 & \color{Cyan}x^2 & \color{Cyan}x^3 & \color{Cyan}x^4 \\
\color{Cyan}1 & 0 & 0 & 0 & 0 & 0 \\
\color{Cyan}out & 0 & 0 & 0 & 0 & 0 \\
\color{Cyan}x & 68 & 11 & 24 & 50 & 61 \\
\color{Cyan}y & 61 & 6 & 2 & 14 & 59 \\
\color{Cyan}v_1 & 51 & 17 & 20 & 31 & 23 \\
\color{Cyan}v_2 & 0 & 0 & 0 & 0 & 0 \\
\color{Cyan}v_3 & 0 & 0 & 0 & 0 & 0 \\
\color{Cyan}v_4 & 0 & 0 & 0 & 0 & 0
\end{bmatrix} $

$ L_p(x) = \begin{bmatrix}
& \color{Cyan}L_p(1) & \color{Cyan}L_p(2) & \color{Cyan}L_p(3) & \color{Cyan}L_p(4) & \color{Cyan}L_p(5) \\
\color{Cyan}1 & 0 & 0 & 0 & 0 & 0 \\
\color{Cyan}out & 0 & 0 & 0 & 0 & 0 \\
\color{Cyan}x & 1 & 0 & 5 & 0 & 13 \\
\color{Cyan}y & 0 & 1 & 0 & 0 & 0 \\
\color{Cyan}v_1 & 0 & 0 & 0 & 4 & 0 \\
\color{Cyan}v_2 & 0 & 0 & 0 & 0 & 0 \\
\color{Cyan}v_3 & 0 & 0 & 0 & 0 & 0 \\
\color{Cyan}v_4 & 0 & 0 & 0 & 0 & 0
\end{bmatrix} $

In [20]:
# num witnesses
m = O.shape[1]
# num constraints
d = O.shape[0]

print(f"m: {m}, d: {d}")

n: 8, d: 5


In [47]:
poly_m = []

# iterate over the matrixes
for M in [L, R, O]:
    poly_list = []
    # iterate over the columns (witnesses)
    for i in range(0, m):
        # there must be `d` number of pairs (x, y) to interpolate
        # one for each constraint
        points_x = FP(np.zeros(d, dtype=int))
        points_y = FP(np.zeros(d, dtype=int))
        # iterate over the rows (constraints)
        for j in range(0, d):
            # x coordinate is the index of the row + 1
            points_x[j] = FP(j + 1)
            # y coordinate is the value of the matrix at (i, j)
            points_y[j] = M[j][i]

        # making polynomial interpolation (must be d-1 degree polynomial, since we have d points)
        poly = galois.lagrange_poly(points_x, points_y)
        # we need only the coefficients of the polynomial (in ascending order, c0*x^0, c1*x^1, ...)
        coeffs = poly.coefficients(order="asc")
        
        # if the polynomial is smaller than d, append zeros for higher coefficients
        if len(coeffs) < d:
            coeffs = np.append(coeffs, np.zeros(d - len(coeffs), dtype=int))
        
        poly_list.append(coeffs)
    
    poly_m.append(FP(poly_list))

Lp = poly_m[0]
Rp = poly_m[1]
Op = poly_m[2]

In [48]:
# evaluating check
for k, v in [(Lp, L), (Rp, R), (Op, O)]:
    # iterate over witnesses
    for i in range(m):
        # making polynomial from coefficients corresponding to the witness
        poly = galois.Poly(k[i], order="asc")
        # iterate over constraints
        for j in range(d):
            # the polynomial must evaluate to the same value as the matrix at j constraint and i witness
            assert(poly(j + 1) == v[j][i])

$\left\langle u \right\rangle_{1\text{x}d} = \left\langle s \right\rangle_{1\text{x}m} \otimes \left\langle L_p \right\rangle_{m\text{x}d} = \begin{bmatrix}
\color{Cyan}x^0 & \color{Cyan}x^1 & \color{Cyan}\cdots & \color{Cyan}x^{d-1} \\
\sum_{i=0}^{m-1}s_i L_{p_{i,0}} & \sum_{i=0}^{m-1}s_i L_{p_{i,1}} & \cdots & \sum_{i=0}^{m-1}s_i L_{p_{i,d-1}}  
\end{bmatrix}\\$

$U(x) = \sum_{i=0}^{d-1}u_i*x^i\\$

$V(x) = \sum_{i=0}^{d-1}v_i*x^i\\$

$W(x) = \sum_{i=0}^{d-1}w_i*x^i\\$

Example:

$\left\langle u \right\rangle_{1 \text{x} d} = 
\begin{bmatrix}
\color{Cyan}1 & \color{Cyan}out & \color{Cyan}x & \color{Cyan}y & \color{Cyan}v_1 & \color{Cyan}v_2 & \color{Cyan}v_3 & \color{Cyan}v_4 \\
1 & 33 & 2 & 3 & 4 & 9 & 40 &  2
\end{bmatrix} \otimes \begin{bmatrix}
& \color{Cyan}x^0 & \color{Cyan}x^1 & \color{Cyan}x^2 & \color{Cyan}x^3 & \color{Cyan}x^4 \\
\color{Cyan}1 & 0 & 0 & 0 & 0 & 0 \\
\color{Cyan}out & 0 & 0 & 0 & 0 & 0 \\
\color{Cyan}x & 68 & 11 & 24 & 50 & 61 \\
\color{Cyan}y & 61 & 6 & 2 & 14 & 59 \\
\color{Cyan}v_1 & 51 & 17 & 20 & 31 & 23 \\
\color{Cyan}v_2 & 0 & 0 & 0 & 0 & 0 \\
\color{Cyan}v_3 & 0 & 0 & 0 & 0 & 0 \\
\color{Cyan}v_4 & 0 & 0 & 0 & 0 & 0
\end{bmatrix} = \begin{bmatrix}
\color{Cyan}x^0 & \color{Cyan}x^1 & \color{Cyan}x^2 & \color{Cyan}x^3 & \color{Cyan}x^4 \\
26 & 37 & 63 & 53 & 36
\end{bmatrix}\\$

$U(x) = 36x^4 + 53x^3 + 63x^2 + 37x + 26$

In [49]:
U = galois.Poly(np.matmul(s, Lp), order="asc")
V = galois.Poly(np.matmul(s, Rp), order="asc")
W = galois.Poly(np.matmul(s, Op), order="asc")

print("U = ", U)
print("V = ", V)
print("W = ", W)

U =  36x^4 + 53x^3 + 63x^2 + 37x + 26
V =  32x^4 + 12x^3 + 51x^2 + 65x + 55
W =  24x^4 + 40x^3 + 25x^2 + 57


In [50]:
# check if the polynomials evaluate to the correct value at x = 1..d (for every constraint)
for M, poly in [(Ls, U), (Rs, V), (Os, W)]:
    for i in range(d):
        assert (M[i] == poly(i + 1))

$U(x) * V(x) - W(x) = T(x) * H(x)\\$

$T(x) = (x - x_1)(x - x_2)...(x - x_d)\\$

$H(x) = \frac{U(x) \cdot V(x) - W(x)}{T(x)}\\$

In [51]:
# Making target polynomial. We need a polynomial that evaluates to 0 at x = 1..d: (x-1)(x-2)...(x-d)
T = galois.Poly([1, p-1], field=FP)
for i in range(2, d + 1):
    T *= galois.Poly([1, p-i], field=FP)

In [53]:
H = (U * V - W) // T
rem = (U * V - W) % T

print("H =", H)

assert rem == 0, "must not be the remainder"

tau = FP(20)
assert U(tau) * V(tau) - W(tau) == H(tau) * T(tau)

H = 16x^3 + 25x^2 + 24x + 14
