In this post, we recall the notion of a polynomial, and explain the notion of
“blind evaluation” of a polynomial, and how it is implemented using Homomorphic
Hiding (HH). (See Part I for an explanation of HH. ) In future posts, we will
see that blind evaluation is a central tool in SNARK constructions.

在这篇文章中,我们将回顾多项式的概念,解释多项式“盲估”的概念,以及如何使用同态隐藏 (HH) 来实现这一方案。(请看 第一部分
在未来的文章中,我们将会认识到盲估是构建 SNARK 的核心工具。

We denote by Fp the field of size p; that is, the elements of Fp are {0,…,p−1}
and addition and multiplication are donemod p as explained in Part I.

我们使用 Fp 来表示 p 的域的大小;也就是说,跟第一部分说明的一样,Fp 中的元素是 {0,...,p-1} ,并且加法和乘法都会执行 mod p。



Recall that a polynomial P of degree d over Fp is an expression of the form

P(X)=a0+a1⋅( X )+a2⋅( X^2 ) +…+ ad⋅( X^d )

, for some a0,…,ad ∈ Fp.

回忆一下具有 在 Fp 上的 d 阶多项式,是一个下面这种形式的表达式:

P(X)=a0+a1⋅( X )+a2⋅( X^2 ) +…+ ad⋅( X^d )

其中 a0,…,ad ∈ Fp

We can evaluate P at a point s ∈ Fp by substituting s for X, and computing the
resultant sum

P(s)=a0+a1⋅( s )+a2⋅( s^2 )+…+ad⋅( s^d)

For someone that knows P, the value P(s) is a linear combination of the values
1,(s),…,(s^d) – where linear combination just means “weighted sum”, in the case
ofP(s) the “weights” are a0,…,ad.

我们可以这样在 s ∈ Fp 点上计算 P,让 s 代替 X,并计算总和。

P(s)=a0+a1⋅( s )+a2⋅( s^2 )+…+ad⋅( s^d)

根据大家所了解的 P,P(s) 的值是 1,(s),…,(s^d) 值的一个线性组合。—— 线性组合仅意味着“加权和”,在 P(s) 一例中权重就是

In the last post, we saw the HH E defined by E(x)=g^x where g was a generator
of a group with a hard discrete log problem. We mentioned that this HH
“supports addition” in the sense thatE(x+y) can be computed from E(x) and E(y).
We note here that it also “supports linear combinations”; meaning that, given
a,b,E(x),E(y), we can compute E(ax+by). This is simply because

E(ax+by)=g^( ax+by )=g^( ax )⋅g^( by )=( ( g^x )^a )⋅( ( g^y )^b )=( E(x)^a
)⋅( E(y)^b ).

在上一篇文章中,我们看到了用 E(x)=g^x 定义的带HH性质的 E,其中 g 是一个采用难离散对数问题的群生成器。我们提到,这种HH“加法支持”,能用
E(x)和E(y)计算出E(x+y)。 我们在这儿指出,HH一样能“支持线性组合”;这意味着,给定 a,b,E(x),E(y) ,我们能计算出 E(ax+by)

E(ax+by)=g^( ax+by )=g^( ax )⋅g^( by )=( ( g^x )^a )⋅( ( g^y )^b )=( E(x)^a
)⋅( E(y)^b )



Suppose Alice has a polynomial P of degree d, and Bob has a point s ∈ Fp that
he chose randomly. Bob wishes to learnE(P(s)), i.e., the HH of the evaluation of
P at s. Two simple ways to do this are:

* Alice sends P to Bob, and he computes E(P(s)) by himself.
* Bob sends s to Alice; she computes E(P(s)) and sends it to Bob.
假设 Alice 有 d 阶多项式 P, 并且 Bob 可以随机地选择一个点 s∈Fp , Bob 期望知道 E(P(s)),这就是于 s 点对 P

* Alice 发送 P 给 Bob,从而 Bob 可以自行计算 E(P(s))。
* Bob 发送 s 给 Alice;Alice计算 E(P(s)) 并发送给 Bob。
However, in the blind evaluation problem we want Bob to learn E(P(s)) without
learningP – which precludes the first option; and, most importantly, we don’t
want Alice to learns, which rules out the second [1].

[1] The main reason we don’t want to send P to Bob, is simply that it is large
–(d+1) elements, where, for example, d~2000000 in the current Zcash protocol;
this ultimately has to do with the “Succinct” part of SNARKs. It is true that
the sequence of hidings Bob is sending to Alice above is just as long, but it
will turn out this sequence can be “hard-coded” in the parameters of the
system, whereas Alice’s message will be different for each SNARK proof.

然而,在盲估问题中,我们希望 Bob 在不了解 P 的情况下了解 E(P(s)) – 这将排除第一种选择; 更重要的是,我们不希望 Alice 了解 s
,这将排除第二种选择 [1]。

* [1] 我们不想将 P 发送给 Bob 的主要原因是,仅仅是因为它太大了——(d+1)个元素,比如,现有的Zcash协议中 d
的值将近2百万;它最终会与“简洁的” SNARKs
Using HH, we can perform blind evaluation as follows.

Bob sends to Alice the hidings E(1),E(s),…,E(s^d).

Alice computes E(P(s)) from the elements sent in the first step, and sends
E(P(s)) to Bob. (Alice can do this since E supports linear combinations, and
P(s) is a linear combination of 1,s,…,sd.)

Note that, as only hidings were sent, neither Alice learned s [2], nor Bob

[2] Actually, the hiding property only guarantees s not being recoverable from
E(s), but here we want to claim it is also not recoverable from the sequence
E(s),…,E(s^d) that potentially contains more information about s. This follows
from the d-power Diffie-Hellman assumption, which is needed in several SNARK
security proofs.


* Bob发送匿数 E(1),E(s),…,E(s^d) 给Alice。
* Alice根据送达的匿数计算 E(P(s)) ,并且发送 E(P(s)) 给Bob。(Alice能够利用E对线性组合的支持进行计算,并且 P(s) 就是
1,s,...,s^d 的线性组合。)
可以注意到,因为只有匿数被发送,Alice不会了解 s[2],Bob也不会了解 P.

* [2] 事实上,隐藏特性仅仅保证了 s 不能由 E(s) 反推得到,但在这里,我们想强调它同样不可能由序列 E(s),…,E(s^d)
反推得到,虽然这个序列包涵了很多s 的信息。这样的判断缘于 Diffie-Hellman 假设,这个假设论证了 SNARK 的安全性。


Subsequent posts will go into more detail as to how blind evaluation is used
in SNARKs. The rough intuition is that the verifier has a “correct” polynomial
in mind, and wishes to check the prover knows it. Making the prover blindly
evaluate their polynomial at a random point not known to them, ensures the
prover will give the wrong answer with high probability if their polynomial is
not the correct one. This, in turn, relies on the Schwartz-Zippel Lemma stating
that “different polynomials are different at most points”.

在后面的文章中,我们将详细讨论盲估技术如何被应用于 SNARKs。 大致的解释是,验证器在内部有一个





