<- back to home

Cohort #1 · April 14 · Max 15 spots

zkSnarks from Zero

8-week live course. halo2 circuits in Rust.

See the course →

PDF Reference

Halo2 Cheat Sheet

API patterns, security pitfalls, fork comparison.

Get the PDF →

Polynomials in zk snarks

Written by

admin

in

Welcome, fellow zk-enjoyer.

You’ve spent evenings staring at tutorials that don’t compile. Explanations that assume you have a PhD in algebra. AI-generated content that looks legit until you run the code.

I’ve been in blockchain since 2016. I’ve written production zk code. This guide teaches polynomials the way I wish someone taught me.

No PhD required. Code that runs. Let’s go.

What to Expect

Non-formal introductions to zkSNARKs internals. Yes, with scary names – Fast Fourier Transform, KZG commitment scheme, univariate polynomials over finite fields. But without eye-bleeding math.

I include fancy names so you’ll recognize them in whitepapers later.

The code is written in Rust, edition 2024, using Arkworks libraries. As of January 2026, it compiles and runs.
If something breaks, I’ll update it. That’s the difference between a real human and a content mill.

The Road Map

  1. Polynomials over finite fields ← you are here
  2. Roots of unity ← this one is here
  3. Execution trace
  4. Polynomial interpolation via FFT/NTT
  5. Applying constraints to polynomials
  6. Packing into a single polynomial
  7. Commitment scheme (starting with KZG)
  8. Proof AND Verification

Eight posts. But you’ll understand what happens under the hood – instead of copy-pasting circuits and praying.

Lets go

[I was there, in that class room, 3000 years ago]

Remember polynomials from high school? The things nobody explained why they existed?

Turns out they’re the fundamental building block of ZK.

Polynomials work like a data structure. Think of them as Maps that only accept numbers.
Your data is bits at a low level anyway, so translation is doable.
In addition to storage, polynomials allow you to constrain exactly which numbers go where.

Today: storing stuff (encoding). Future posts: the constraints magic (business logic).

Your First Polynomial

Here’s a polynomial that encodes a message:

2x315x2+28x+962x^3 – 15x^2 + 28x + 96

How it was created? Like this:

If you did not know how it was created, it looks like regular equation. But plug in x values 3, 1, 5, 2, and you get the message back.

Click Run. ☝️ See what happens.

You use specific x values (3, 1, 5, 2) as indices to encode the data.
Later, we’ll encode business logic (constraints) as polynomials too.

Ok, cool we have it saved something in form of a polynomial but WHY?

Because there is this thing called Schwartz–Zippel lemma
Do not be afraid young padawan, another fancy name, but tool very useful it is.

The one and only, the OG:
Schwartz–Zippel lemma

Ok cool, what is it?

Schwartz-Zippel simplified:

Two different polynomials will almost never give the same output for a random input.

If you know hash functions, this is similar. Different inputs produce different outputs. With hashes, the input is data. With Schwartz–Zippel the input is a polynomial plus a random value.

Why does this matter? You can verify someone has a specific polynomial by asking for ONE evaluation at a random point. One number checks an entire polynomial. Insanely efficient.

Below: two different polynomials evaluated at a random point. Run it a few times. Evaluations are always different.

Run it few times, the assertion should never fail.
Collision probability is less than 1 in 10^76.
To give you an idea, observable universe has 10^80 atoms.

WHY it is important?

It is very easy way to check IF someone has specific polynomial JUST by asking for evaluation at ONE random point.

Back to “cool” example. You can verify I have the same polynomial by picking random x (say, 42), asking me to evaluate at that point, and comparing results. Same value = same polynomial (with overwhelming probability).

This extends to constraints and business logic. But that’s for future posts.

Key takeaway: Polynomials + Schwartz-Zippel = encode stuff and verify with a single number.

[FYI: verification with a single number is extremely efficient]

I also did a visualization of Shwartz-Zippel for 29:

and for large prime from BN254:

[Senior developer explaining security properties, colorized]

“Wait, Why Does -15 Look So Weird?”

When you print the polynomial, -15 shows up as:

21888242871839275222246405745257275088548364400416034343698204186575808495602

Also full plot of the polynomial mod 29, looks kinda odd on that video above.

What the hell?

Check it again:

That giant number IS -15. BUT in modular arithmetic.

Example on smaller numbers first. Regular numbers go to infinity both ways – you can imagine them as an endless line.
Modular arithmetic gives you finite numbers. With mod 29, you have 29 numbers.
To get infinity working with finite number of lements they forming a circle (ring).
After 28 comes 0, then 1, 2, 3… Behind 0 comes 28, then 27…

So with mod 29, what acts like -15?
You need something that adds to 15 and gives 0.
That’s 14. Because 15 + 14 = 29.
And there is no 29, after 28 you wrap back to 0
So 15 + 14 = 0 mod 29.
So 14 “acts like” -15 in this case.

Let’s check how -15 looks like with the big modulus:

Same trick works for multiplication. Normally, if you multiply a number by its inverse you get 1. With regular numbers, inverse is easy to compute. Inverse of 5 is 1/5. Multiply them: 5 × 1/5 = 1.

But with modular arithmetic? No such thing as a fraction (1/5). Instead, there’s some integer that “acts like” 1/5. Finding it is much harder – but we can do it with extended Euclidean algorithm (another fancy name).

Let’s see if it works:

Why do we care?

Addition/subtraction and multiplication/division work a bit differently. Instead of regular numbers we have numbers modulo some prime.

Because we have all those things we can use another fancy name: Finite Field. Just a name you’ll see in white papers. Now you know what it means.

We can call it many other names, like Knight of the Square Table, or Humpty Dumpty, but someone was faster and already called it Finite Field, and it kinda stuck. The guy was Évariste Galois.

Those Finite Fields have a critical property. Multiplication and powers are easy to compute. Going backwards (logarithms) is stupidly hard. ZK security depends on this asymmetry. Post #7 (KZG commitment scheme) shows exactly how.

If you want to see that wrapping around you can check this one:

What You Just Did

You computed evaluation of univariate polynomials over a finite field. Specifically, the scalar field of the elliptic curve BN254.

Told you at the beginning – these are names. They cant hurt you

Next Up – Roots of Unity.

How do we efficiently put data INTO polynomials? By using something called “roots of unity.”

It’s a bunch of numbers with useful properties. The name sounds intimidating. It isn’t.

See you there.

Playground

This editor is interactive. Copy code, modify it, break it, experiment.

Questions? Found a bug? Hit me up. Code should work – if it doesn’t, that’s on me to fix, or on my VPS that died, which is also on me: https://www.linkedin.com/in/adam-smolarek/