zk-SNARKS setup pubkey数学背景介绍，公式很直观

参考 https://electriccoin.co/blog/generating-zcash-parameters 并结合 https://electriccoin.co/blog/snark-explain3 一起，更直观可理解。

SNARKs require something called “the public parameters”. The SNARK public parameters are numbers with a specific cryptographic structure that are known to all of the participants in the system. They are baked into the protocol and the software from the beginning.

The obvious way to construct SNARK public parameters is just to have someone generate a public/private keypair, similar to an ECDSA keypair [*], and then destroy the private key.

The problem is that private key. Anybody who gets a copy of it can use it to counterfeit money. (However, it cannot violate any user’s privacy — the privacy of transactions is not at risk from this.)

Mitigating this threat is currently our top priority in the Zcash development process. We call the private key material “the toxic waste byproduct” — something that is produced as an unwanted side-effect of the public parameter generation, and that we need to contain and destroy as safely as possible.

SNARK public parameters are not just an ECDSA public key — they’re more like a set of a million ECDSA public keys, each of which contains an encoding of a specific wire in the SNARK circuit.

论文《A multi-party protocol for constructing the public parameters of the Pinocchio zk-SNARK》