You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/r1cs-docs-example.md
+29-24Lines changed: 29 additions & 24 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -2,20 +2,20 @@ The rank-1 constraint system API for programmatically defining constraint system
2
2
3
3
## Building a proof-of-shuffle constraint system
4
4
5
-
A shuffle is a permutation of a list of `k` scalars `{x_i}` into a list of `k` scalars `{y_i}`.
5
+
A shuffle is a permutation of a list of \\(k\\) scalars \\(x_i\\) into a list of \\(k\\) scalars \\(y_i\\).
6
6
7
-
Algebraically it can be expressed as a statement that for a free variable `z`, the roots of the two polynomials in terms of `z` are the same up to a permutation:
7
+
Algebraically it can be expressed as a statement that for a free variable \\(z\\), the roots of the two polynomials in terms of \\(z\\) are the same up to a permutation:
8
8
9
9
\\[
10
10
\prod_i (x_i - z) = \prod_i (y_i - z)
11
11
\\]
12
12
13
-
The prover can commit to blinded scalars `x_i` and `y_i` then receive a random challenge `z`,
13
+
The prover can commit to blinded scalars \\(x_i\\) and \\(y_i\\) then receive a random challenge \\(z\\),
14
14
and build a proof that the above relation holds.
15
15
16
16
K-shuffle requires `2*(K-1)` multipliers.
17
17
18
-
For K > 1:
18
+
For `K > 1`:
19
19
20
20
```ascii,no_run
21
21
@@ -32,24 +32,29 @@ For K > 1:
32
32
```
33
33
34
34
Connect the left and right sides of the shuffle statement:
35
-
`mulx_out[0] = muly_out[0]`
36
-
37
-
For i == [0, k-3]:
38
-
`mulx_left[i] = x_i - z`
39
-
`mulx_right[i] = mulx_out[i+1]`
40
-
`muly_left[i] = y_i - z`
41
-
`muly_right[i] = muly_out[i+1]`
42
-
35
+
```ascii,no_run
36
+
mulx_out[0] = muly_out[0]
37
+
```
38
+
For `i == [0, k-3]`:
39
+
```ascii,no_run
40
+
mulx_left[i] = x_i - z
41
+
mulx_right[i] = mulx_out[i+1]
42
+
muly_left[i] = y_i - z
43
+
muly_right[i] = muly_out[i+1]
44
+
```
43
45
The last multipliers connect the two last variables (on each side)
44
-
`mulx_left[k-2] = x_{k-2} - z`
45
-
`mulx_right[k-2] = x_{k-1} - z`
46
-
`muly_left[k-2] = y_{k-2} - z`
47
-
`muly_right[k-2] = y_{k-1} - z`
48
-
49
-
For K = 1:
50
-
Connect x to y directly, omitting the challenge entirely as it cancels out
51
-
`x_0 = y_0`
52
-
46
+
```ascii,no_run
47
+
mulx_left[k-2] = x_{k-2} - z
48
+
mulx_right[k-2] = x_{k-1} - z
49
+
muly_left[k-2] = y_{k-2} - z
50
+
muly_right[k-2] = y_{k-1} - z
51
+
```
52
+
For `K = 1`:
53
+
Connect x to y directly. Since there is only one permuatation of a 1-element list, we can omit the challenge entirely as it cancels out.
54
+
```ascii,no_run
55
+
x_0 = y_0
56
+
```
57
+
Doctest for creating and verifying a shuffle proof:
53
58
```rust
54
59
externcrate bulletproofs;
55
60
externcrate curve25519_dalek;
@@ -104,11 +109,11 @@ impl ShuffleProof {
104
109
}
105
110
```
106
111
107
-
In this example, `ShuffleProof::gadget()` is private function that adds constraints to the constraint system that enforce that `y` (the outputs) are a valid reordering of `x` (the inputs).
112
+
In this example, `ShuffleProof::gadget()` is private function that adds constraints to the constraint system that enforce that \\(y\\) (the outputs) are a valid reordering of \\(x\\) (the inputs).
108
113
109
-
First, the function gets a challenge scalar `z` by calling the `ConstraintSystem::challenge_scalar`. This challenge is generated from commitments to high-level variables that were passed to the `ConstraintSystem` when it was created. As noted in the `challenge_scalar` documentation, making sure that the challenge circuit is sound requires analysis. In this example, the challenge circuit is sound because the challenge is bound to all of the shuffle inputs and outputs, since the inputs and outputs are high-level variables.
114
+
First, the function gets a challenge scalar \\(z\\) by calling the `ConstraintSystem::challenge_scalar`. This challenge is generated from commitments to high-level variables that were passed to the `ConstraintSystem` when it was created. As noted in the `challenge_scalar` documentation, making sure that the challenge circuit is sound requires analysis. In this example, the challenge circuit is sound because the challenge is bound to all of the shuffle inputs and outputs, since the inputs and outputs are high-level variables.
110
115
111
-
After a check for the lengths of `x` and `y`, the function then makes multipliers to create polynomials in terms of the challenge scalar `z`. It starts with the last multipliers, representing \\( (x_{k-1} - z) * (x_{k-2} - z) \\) and \\( (y_{k-1} - z) * (y_{k-2} - z) \\). The outputs to these last multipliers than become an input to the next multiplier. This continues recursively until it reaches \\( x_0 \\) and \\(y_0\\). Then, it adds a constraint that \\( mulx_out[0] = muly_out[0]\\), which constrains that the two polynomials in terms of challenge scalar `z` are equal to each other. This is true if and only if `y` is a valid reordering of `x`.
116
+
After a check for the lengths of \\(x\\) and \\(y\\), the function then makes multipliers to create polynomials in terms of the challenge scalar \\(z\\). It starts with the last multipliers, representing \\( (x_{k-1} - z) * (x_{k-2} - z) \\) and \\( (y_{k-1} - z) * (y_{k-2} - z) \\). The outputs to these last multipliers than become an input to the next multiplier. This continues recursively until it reaches \\( x_0 \\) and \\(y_0\\). Then, it adds a constraint that \\( mulx_out[0] = muly_out[0]\\), which constrains that the two polynomials in terms of challenge scalar \\(z\\) are equal to each other. This is true if and only if \\(y\\) is a valid reordering of \\(x\\).
0 commit comments