A Quadratic Arithmetic Program (QAP) is a mathematical representation that transforms a computational statement, such as the correct execution of a program, into a set of polynomial equations. This encoding is the critical first step in constructing zk-SNARKs (Zero-Knowledge Succinct Non-Interactive Arguments of Knowledge). The core idea is to express the constraints of a computation as a polynomial identity; if the identity holds, the computation was performed correctly. This transformation allows a verifier to check the validity of a complex computation by performing a simple check on the polynomials, rather than re-running the entire program.
LABS
Glossary
Quadratic Arithmetic Program (QAP)
A Quadratic Arithmetic Program (QAP) is a polynomial representation of an arithmetic circuit, which reduces the problem of checking circuit satisfaction to checking polynomial divisibility, forming the backbone of early zk-SNARK constructions.
Chainscore © 2026
definition
ZERO-KNOWLEDGE PROOFS
What is a Quadratic Arithmetic Program (QAP)?
A Quadratic Arithmetic Program (QAP) is a foundational mathematical structure used to encode computational statements into a form that can be efficiently verified by a cryptographic proof system.
The construction of a QAP begins by representing a computation as an arithmetic circuit, composed of addition and multiplication gates. Each gate's operation is converted into a constraint, often of the form A * B = C. These constraints are then interpolated into polynomials. The prover, who performed the computation, creates a proof by demonstrating they possess polynomials that satisfy the QAP's master polynomial equation. The verifier's job is reduced to checking a single, succinct equation involving these polynomials, which is exponentially faster than checking each constraint individually.
The power of the QAP framework lies in its role within zk-SNARK protocols like those used in Zcash and various Layer 2 scaling solutions. It enables the creation of extremely small proofs that can be verified in milliseconds, regardless of the original computation's size. This efficiency is what makes private transactions and scalable blockchain computations feasible. The QAP is often paired with elliptic curve cryptography and bilinear pairings to create the final, verifiable cryptographic proof.
While revolutionary, working directly with QAPs is complex. This led to the development of higher-level languages and compilers, such as ZoKrates and Circom, which allow developers to write code in a more familiar syntax. These tools automatically compile the logic down to the arithmetic circuit and QAP representation required by the proving backend. This abstraction layer has been crucial for the broader adoption of zero-knowledge technology in blockchain development.
In summary, the Quadratic Arithmetic Program is the algebraic backbone that makes efficient zero-knowledge proofs possible. By reducing any computation to a polynomial identity check, it provides the verifiable integrity essential for trust-minimized systems without requiring trust in a central party or the disclosure of underlying data.
how-it-works
ZKP PRIMITIVE
How a Quadratic Arithmetic Program (QAP) Works
A Quadratic Arithmetic Program (QAP) is a foundational cryptographic representation that transforms a computational statement into a form suitable for constructing succinct zero-knowledge proofs, particularly zk-SNARKs.
A Quadratic Arithmetic Program (QAP) is a mathematical representation that encodes the constraints of an arithmetic circuit as a set of polynomial equations, enabling the efficient construction of zero-knowledge proofs. The core idea is to reduce any computational verification problem—such as "I know an input x that makes this program output y"—to checking whether a specific polynomial is divisible by a publicly known target polynomial. This divisibility check forms the basis for proving correctness without revealing the underlying data.
The construction of a QAP involves three key steps. First, the computation is expressed as an arithmetic circuit composed of addition and multiplication gates. Second, for each gate, a set of constraint polynomials is created that must equal zero for a valid assignment of the circuit's wires. Finally, these constraints are combined into three sets of polynomials, often denoted A(x), B(x), and C(x), such that the statement is true if and only if A(x) · B(x) - C(x) is divisible by a predefined target polynomial Z(x), which encodes the structure of the circuit itself.
In practice, the prover uses the QAP to generate a proof by evaluating the polynomials at a secret random point (a process secured by a trusted setup), creating a short cryptographic commitment. The verifier then performs a simple pairing check on elliptic curves to confirm the polynomial divisibility condition holds. This mechanism allows for proofs that are succinct (small and fast to verify) and zero-knowledge (revealing nothing beyond the validity of the statement). The QAP's efficiency was famously demonstrated in Zcash's original zk-SNARK protocol, enabling private transactions on a public blockchain.
key-features
STRUCTURAL COMPONENTS
Key Features of a QAP
A Quadratic Arithmetic Program (QAP) is a mathematical representation that encodes the constraints of a computation into a polynomial equation, forming the cryptographic backbone of zk-SNARKs. Its structure enables efficient verification of complex statements.
01
Polynomial Encoding of Constraints
A QAP transforms a computational circuit's arithmetic gates into a set of polynomials. Each gate's relationship between its input and output wires is expressed as a polynomial equation. The prover demonstrates knowledge of a valid assignment to all wires by showing these polynomials evaluate to zero at a secret point, proving all gate constraints are satisfied.
02
The Target Polynomial t(x)
The core of the QAP is the target polynomial t(x), defined as the product of all root polynomials (x - r_i) for each gate i. The prover's task is to show that a constructed witness polynomial is divisible by t(x). This divisibility check proves that the witness is consistent with every constraint in the original circuit.
03
Witness Polynomials A(x), B(x), C(x)
The prover uses the secret witness (private inputs) to generate three polynomials:
- A(x) encodes assignments to the left wires of each gate.
- B(x) encodes assignments to the right wires.
- C(x) encodes assignments to the output wires.
The QAP is satisfied if
A(x) * B(x) - C(x) = H(x) * t(x)for some quotient polynomialH(x).
04
Lagrange Interpolation & Trusted Setup
Polynomials are constructed using Lagrange interpolation over a set of evaluation points, one for each gate. This requires a trusted setup to generate a Common Reference String (CRS) containing encrypted evaluations of these Lagrange basis polynomials. This setup is a critical, one-time ceremony for the system's security.
05
Succinct Verification via Pairings
The verifier does not see the full polynomials. Instead, using elliptic curve pairings, they check a single equation on encrypted values from the CRS and the proof. This allows verification in constant time, independent of the circuit's size, which is the origin of the 'succinct' in zk-SNARK.
06
Relation to R1CS
A QAP is typically constructed from a Rank-1 Constraint System (R1CS), a simpler intermediate representation. R1CS expresses each gate as a vector equation (A · s) * (B · s) = (C · s), where s is the witness vector. The QAP is the polynomial version of this system, enabling the cryptographic proof.
visual-explainer
ZKP PRIMER
Visualizing a Quadratic Arithmetic Program
A conceptual guide to understanding the structure and purpose of a Quadratic Arithmetic Program (QAP), a core component in zk-SNARK construction.
A Quadratic Arithmetic Program (QAP) is a specific mathematical representation of a computational statement, designed to be efficiently verifiable using cryptographic proofs. It transforms a program's logic—expressed as a series of constraints—into a polynomial equation. The core idea is that if the prover knows a valid solution (a set of witness values) to the original computation, they can construct polynomials that satisfy the QAP's polynomial identity. This identity, which equates to zero only when all constraints are met, becomes the foundation for generating a zero-knowledge proof.
Visualizing a QAP often involves three sets of polynomials. Imagine you have a circuit with wires carrying values. For each multiplication gate in the circuit, you define three polynomials: one for the left input wire, one for the right input wire, and one for the output wire. These polynomials are evaluated over a set of points corresponding to each gate. The crucial check is that for every gate point, the product of the left and right wire polynomials equals the output wire polynomial. This collection of polynomial constraints across all gates is bundled into a single, grand polynomial equation using Lagrange interpolation.
The verification process is elegantly simple in this framework. The prover computes commitments to the wire polynomials and provides an evaluation at a secret, randomly chosen point (the challenge point). The verifier, using these commitments and the trusted setup's public parameters, checks a single pairing equation. This equation essentially confirms that the polynomial identity holds at the secret point, which, due to the Schwartz-Zippel lemma, implies it holds everywhere with overwhelming probability. Thus, verifying a complex computation is reduced to checking one elliptic curve pairing.
In practice, tools like libsnark or circom handle the QAP construction automatically. A developer writes their circuit logic in a high-level language, and the compiler generates the corresponding Rank-1 Constraint System (R1CS), which is then converted into the QAP polynomials. Understanding this visualization demystifies how zk-SNARKs achieve their remarkable efficiency: they trade the need to re-execute a program for the verification of a succinct proof about that execution's correctness.
ecosystem-usage
IMPLEMENTATION
Protocols Using QAPs
Quadratic Arithmetic Programs (QAPs) are a foundational component of several major zero-knowledge proof systems. These protocols use QAPs to efficiently encode and verify complex computations.
05
QAP as a Compilation Target
Many proof systems treat the QAP as a compilation target. High-level operations (e.g., from a virtual machine or circuit) are transformed into a rank-1 constraint system (R1CS), which is then converted into a QAP. This two-step process (Program → R1CS → QAP) is a standard pipeline for generating zk-SNARK proofs.
06
Evolution to R1CS & Plonkish
While foundational, the pure QAP construction has been largely superseded by more flexible representations. Rank-1 Constraint Systems (R1CS) are a more direct, algebraic representation used by many modern tools. Plonkish arithmetization (used in PLONK, Halo2) offers greater efficiency and universal trusted setups, reducing QAP's role in newer protocols.
COMPARATIVE ANALYSIS
QAP vs. Other Proof System Backbones
A technical comparison of core mathematical structures used to express computational statements for zero-knowledge proofs.
| Feature / Metric | Quadratic Arithmetic Program (QAP) | Rank-1 Constraint System (R1CS) | Arithmetic Circuit |
|---|---|---|---|
Primary Representation | Polynomials over a finite field | Quadratic equations (A·B = C) | Gates and wires (addition, multiplication) |
Succinctness of Proof | |||
Polynomial Commitment Scheme Required | |||
Native Support for Pairings | |||
Prover Complexity (for n gates) | O(n log n) | O(n) | O(n) |
Verifier Complexity | O(1) after trusted setup | O(n) | O(n) |
Trusted Setup Required | |||
Used In | Pinocchio, Groth16, GKR | libsnark, Bulletproofs | zk-SNARKs, MPC protocols |
ZK-SNARK CORE
Quadratic Arithmetic Program (QAP)
A Quadratic Arithmetic Program (QAP) is a mathematical representation used to convert computational statements into a form that can be efficiently verified by zero-knowledge proofs, particularly zk-SNARKs. It is a foundational component for proving the correct execution of a program without revealing any information about the inputs.
A Quadratic Arithmetic Program (QAP) is a system of quadratic equations that encodes the constraints of a computational statement, transforming it into a format suitable for cryptographic verification. It is the core mathematical structure underpinning zk-SNARKs (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge). The QAP reduces the problem of verifying a program's execution to checking a single polynomial equation, enabling highly efficient proofs. This transformation is a critical step in systems like Zcash's original zk-SNARK protocol and many Layer 2 scaling solutions.
DEMYSTIFYING ZK-SNARKS
Common Misconceptions About QAPs
Quadratic Arithmetic Programs (QAPs) are a core component of zk-SNARKs, but their complexity leads to frequent misunderstandings about their purpose, limitations, and role in proving computations.
No, a Quadratic Arithmetic Program (QAP) is not a zk-SNARK; it is a specific intermediate representation used within many zk-SNARK constructions. A QAP encodes a computational statement (like "I know the private key for this public key") into a polynomial equation. The zk-SNARK is the full cryptographic protocol that uses this QAP, along with other components like elliptic curve pairings and a trusted setup, to generate a succinct, zero-knowledge proof. Think of the QAP as the blueprint for the computation, while the zk-SNARK is the machinery that builds and verifies the proof from that blueprint.
QUADRATIC ARITHMETIC PROGRAM (QAP)
Frequently Asked Questions (FAQ)
A Quadratic Arithmetic Program (QAP) is a foundational cryptographic tool for constructing zk-SNARKs, enabling efficient verification of complex computations. These questions address its core mechanics and role in blockchain.
A Quadratic Arithmetic Program (QAP) is a mathematical representation that transforms a computational statement into a set of polynomial equations, forming the core of zk-SNARK proof systems. It encodes the constraints of a circuit (like verifying a transaction) into polynomials. The prover demonstrates knowledge of a valid solution (a witness) by showing these polynomials evaluate to zero at a secret point, which the verifier can check using an elliptic curve pairing without learning the witness itself. This structure is crucial for generating succinct, non-interactive proofs of computational correctness.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall