mirror of
synced 2025-02-12 01:55:48 +00:00
Out with the old...
This commit is contained in:
@ -1,3 +0,0 @@
[submodule "tinysnark/libsnark"]
path = tinysnark/libsnark
url = git://github.com/scipr-lab/libsnark.git
@ -1,21 +1,7 @@
sudo: false
language: rust
- nightly
- export CXX="g++-4.8" CC="gcc-4.8"
- ubuntu-toolchain-r-test
- g++-4.8
- gcc-4.8
- libgmp-dev
- stable
- cd tinysnark && cargo test
- cd .. && cargo run --release
- cargo test
- cargo test --release
@ -9,8 +9,4 @@ repository = "https://github.com/ebfull/bellman"
version = "0.0.1"
rand = "0.3.12"
path = "tinysnark"
version = "0.0.1"
rand = "0.3.15"
@ -1,18 +0,0 @@
FROM debian
# Install Rust and Cargo
# TODO: make this architecture agnostic
RUN apt-get update && apt-get install -yy sudo wget
RUN wget https://static.rust-lang.org/dist/rust-nightly-x86_64-unknown-linux-gnu.tar.gz
RUN tar xvf rust-nightly-x86_64-unknown-linux-gnu.tar.gz
RUN cd rust-nightly-x86_64-unknown-linux-gnu && ./install.sh
# Install libsnark dependencies
# g++ (for building libsnark)
# libgmp-dev (for bigint math)
RUN apt-get update && apt-get install -yy g++ libgmp-dev
# Include this directory in the built image
ADD . /bellman
@ -1,560 +0,0 @@
use tinysnark::FieldT;
use std::rc::Rc;
use std::cell::RefCell;
use super::variable::*;
use self::Bit::*;
use self::Op::*;
use super::circuit::*;
macro_rules! mirror {
($a:pat, $b:pat) => (($a, $b) | ($b, $a))
macro_rules! mirror_match {
(@as_expr $e:expr) => {$e};
$e:expr, ($($arms:tt)*);
) => {
mirror_match!(@as_expr match $e { $($arms)* })
$e:expr, $arms:tt;
, $($tail:tt)*
) => {
mirror_match!(@parse $e, $arms; $($tail)*)
$e:expr, ($($arms:tt)*);
mirror!($a:pat, $b:pat) => $body:expr,
) => {
($a, $b) | ($b, $a) => $body,
$e:expr, ($($arms:tt)*);
$pat:pat => $body:expr,
) => {
$pat => $body,
$e:expr, ($($arms:tt)*);
$pat:pat => $body:expr,
) => {
$pat => $body,
(($e:expr) { $($arms:tt)* }) => {
mirror_match!(@parse $e, (); $($arms)*)
#[derive(Debug, Eq, PartialEq, Copy, Clone)]
enum Op {
impl Op {
fn not(&self) -> Op {
match *self {
And => Nand,
Nand => And,
Xor => Xnor,
Xnor => Xor,
Nor => Or,
Or => Nor,
MaterialNonimplication => MaterialImplication,
MaterialImplication => MaterialNonimplication
fn val(&self, a: FieldT, b: FieldT) -> FieldT {
let a = a == FieldT::one();
let b = b == FieldT::one();
let res = match *self {
And => a && b,
Nand => !(a && b),
Xor => a != b,
Xnor => a == b,
Or => a || b,
Nor => !(a || b),
MaterialNonimplication => a && (!b),
MaterialImplication => !(a && (!b))
if res {
} else {
pub struct BinaryOp {
a: Var,
b: Var,
op: Op,
resolved: Rc<RefCell<Option<Var>>>
impl BinaryOp {
fn new(a: Var, b: Var, op: Op) -> BinaryOp {
BinaryOp {
a: a,
b: b,
op: op,
resolved: Rc::new(RefCell::new(None))
fn walk(&self, counter: &mut usize, constraints: &mut Vec<Constraint>, witness_map: &mut WitnessMap)
self.a.walk(counter, constraints, witness_map);
self.b.walk(counter, constraints, witness_map);
fn val(&self, map: &[FieldT], inverted: bool) -> FieldT {
let v = self.op.val(self.a.val(map), self.b.val(map));
if inverted {
if v == FieldT::one() {
} else {
} else {
fn resolve(&self, inverted: bool) -> Bit {
let res = { self.resolved.borrow_mut().clone() };
match res {
Some(v) => {
if inverted {
} else {
None => {
let v = resolve(&self.a, &self.b, self.op);
*self.resolved.borrow_mut() = Some(v.clone());
if inverted {
} else {
pub enum Bit {
Bin(BinaryOp, bool)
struct BitEquality {
a: Bit,
b: Var
impl Constrainable for BitEquality {
type Result = Var;
fn synthesize(&self, enforce: &Bit) -> Var {
// TODO: currently only support unconditional enforcement
match enforce {
&Bit::Constant(true) => {},
_ => unimplemented!()
match self.a {
Bin(ref binop, inverted) => {
// TODO: figure this out later
let mut op = binop.op;
if inverted {
op = op.not();
gadget(&[&binop.a, &binop.b, &self.b], 0, move |vals| {
let a = vals.get_input(0);
let b = vals.get_input(1);
unsafe { vals.set_input(2, op.val(a, b)) };
}, |i, o, cs| {
cs.push(binaryop_constraint(i[0], i[1], i[2], op));
_ => unimplemented!()
impl Equals<Var> for Bit {
type Result = BitEquality;
fn must_equal(&self, other: &Var) -> BitEquality {
BitEquality {
a: self.clone(),
b: other.clone()
fn binaryop_constraint(a: &Var, b: &Var, c: &Var, op: Op) -> Constraint {
match op {
// a * b = c
And => Constraint(vec![(FieldT::one(), a.clone())],
vec![(FieldT::one(), b.clone())],
vec![(FieldT::one(), c.clone())]
// a * b = 1 - c
Nand => Constraint(vec![(FieldT::one(), a.clone())],
vec![(FieldT::one(), b.clone())],
vec![(FieldT::one(), Var::one()),
(-FieldT::one(), c.clone())
// 2a * b = a + b - c
Xor => Constraint(vec![(FieldT::from(2), a.clone())],
vec![(FieldT::one(), b.clone())],
vec![(FieldT::one(), a.clone()),
(FieldT::one(), b.clone()),
(-FieldT::one(), c.clone())
// 2a * b = a + b + c - 1
Xnor => Constraint(vec![(FieldT::from(2), a.clone())],
vec![(FieldT::one(), b.clone())],
(FieldT::one(), a.clone()),
(FieldT::one(), b.clone()),
(FieldT::one(), c.clone()),
(-FieldT::one(), Var::one())
// a * (1 - b) = c
MaterialNonimplication => Constraint(vec![(FieldT::one(), a.clone())],
vec![(FieldT::one(), Var::one()),
(-FieldT::one(), b.clone())
vec![(FieldT::one(), c.clone())]
// a * b = a + c - 1
MaterialImplication => Constraint(vec![(FieldT::one(), a.clone())],
vec![(FieldT::one(), b.clone())],
vec![(FieldT::one(), a.clone()),
(FieldT::one(), c.clone()),
(-FieldT::one(), Var::one())
// (1 - a) * (1 - b) = c
Nor => Constraint(vec![(FieldT::one(), Var::one()),
(-FieldT::one(), a.clone())
vec![(FieldT::one(), Var::one()),
(-FieldT::one(), b.clone())
vec![(FieldT::one(), c.clone())]
// a * b = a + b - c
Or => Constraint(vec![(FieldT::one(), a.clone())],
vec![(FieldT::one(), b.clone())],
vec![(FieldT::one(), a.clone()),
(FieldT::one(), b.clone()),
(-FieldT::one(), c.clone())
fn resolve(a: &Var, b: &Var, op: Op) -> Var {
gadget(&[a, b], 1, move |vals| {
let a = vals.get_input(0);
let b = vals.get_input(1);
vals.set_output(0, op.val(a, b));
}, |i, o, cs| {
cs.push(binaryop_constraint(i[0], i[1], o[0], op));
impl ConstraintWalker for Bit {
fn walk(&self, counter: &mut usize, constraints: &mut Vec<Constraint>, witness_map: &mut WitnessMap)
match *self {
Constant(_) => {},
Not(ref v) => {
v.walk(counter, constraints, witness_map);
Is(ref v) => {
v.walk(counter, constraints, witness_map);
Bin(ref bin, _) => {
bin.walk(counter, constraints, witness_map);
impl Bit {
pub fn val(&self, map: &[FieldT]) -> bool {
match *self {
Constant(c) => c,
Not(ref v) => v.val(map) == FieldT::zero(),
Is(ref v) => v.val(map) == FieldT::one(),
Bin(ref bin, inverted) => bin.val(map, inverted) == FieldT::one()
// probably could remove this
pub fn resolve(&self) -> Bit {
match *self {
Bin(ref bin, inverted) => bin.resolve(inverted),
_ => self.clone()
pub fn new(v: &Var) -> Bit {
Is(gadget(&[v], 0, |_| {}, |i, o, cs| {
// boolean constraint:
// (1 - a) * a = 0
cs.push(Constraint(vec![(FieldT::one(), Var::one()),
(-FieldT::one(), i[0].clone())],
vec![(FieldT::one(), i[0].clone())],
vec![(FieldT::zero(), Var::one())]
pub fn constant(num: bool) -> Bit {
// self xor other
pub fn xor(&self, other: &Bit) -> Bit {
mirror_match!(((self, other)) {
(&Constant(a), &Constant(b)) => {
Constant(a != b)
mirror!(&Is(ref v), &Constant(a)) => {
if a {
// Anything XOR 1 is the NOT of that thing.
} else {
// Anything XOR 0 equals that thing.
mirror!(&Not(ref v), &Constant(a)) => {
if a {
// Anything XOR 1 is the NOT of that thing.
} else {
mirror!(&Bin(ref bin, inverted), &Constant(c)) => {
if c {
// Anything XOR 1 is the NOT of that thing.
Bin(bin.clone(), !inverted)
} else {
Bin(bin.clone(), inverted)
mirror!(&Bin(ref bin, inverted), &Is(ref i)) => {
(&Bin(ref bin1, inverted1), &Bin(ref bin2, inverted2)) => {
mirror!(&Bin(ref bin, inverted), &Not(ref n)) => {
(&Not(ref a), &Not(ref b)) => {
Bin(BinaryOp::new(a.clone(), b.clone(), Xor), false)
mirror!(&Is(ref i), &Not(ref n)) => {
Bin(BinaryOp::new(i.clone(), n.clone(), Xnor), false)
(&Is(ref a), &Is(ref b)) => {
Bin(BinaryOp::new(a.clone(), b.clone(), Xor), false)
pub fn and(&self, other: &Bit) -> Bit {
mirror_match!(((self, other)) {
(&Constant(a), &Constant(b)) => {
Constant(a && b)
mirror!(&Is(ref v), &Constant(a)) => {
if a {
// Anything AND 1 is the identity of that thing
} else {
// Anything AND 0 is false
mirror!(&Not(ref v), &Constant(a)) => {
if a {
// Anything AND 1 is the identity of that thing
} else {
// Anything AND 0 is false
mirror!(&Bin(ref bin, inverted), &Constant(c)) => {
if c {
// Anything AND 1 is the identity of that thing
Bin(bin.clone(), inverted)
} else {
// Anything AND 0 is false
mirror!(&Bin(ref bin, inverted), &Is(ref i)) => {
(&Bin(ref bin1, inverted1), &Bin(ref bin2, inverted2)) => {
mirror!(&Bin(ref bin, inverted), &Not(ref n)) => {
(&Not(ref a), &Not(ref b)) => {
Bin(BinaryOp::new(a.clone(), b.clone(), Nor), false)
mirror!(&Is(ref i), &Not(ref n)) => {
Bin(BinaryOp::new(i.clone(), n.clone(), MaterialNonimplication), false)
(&Is(ref a), &Is(ref b)) => {
Bin(BinaryOp::new(a.clone(), b.clone(), And), false)
// (not self) and other
pub fn notand(&self, other: &Bit) -> Bit {
fn test_binary_op<F: Fn(&Bit, &Bit) -> Bit>(op: F, a_in: i64, b_in: i64, c_out: i64)
let a = Var::new(1);
let b = Var::new(2);
let a = Bit::new(&a);
let b = Bit::new(&b);
let mut counter = 3;
let mut witness_map = WitnessMap::new();
let mut constraints = vec![];
let c = op(&a, &b);
let c = c.resolve();
c.walk(&mut counter, &mut constraints, &mut witness_map);
assert_eq!(counter, 4);
assert_eq!(constraints.len(), 3);
assert_eq!(witness_map.len(), 2);
assert_eq!(witness_map[&1].len(), 2);
assert_eq!(witness_map[&2].len(), 1);
let mut f: Vec<FieldT> = (0..counter).map(|_| FieldT::zero()).collect();
f[0] = FieldT::one();
f[1] = FieldT::from(a_in);
f[2] = FieldT::from(b_in);
witness_field_elements(&mut f, &witness_map);
assert_eq!(f[3], FieldT::from(c_out));
fn test_xor() {
use tinysnark;
test_binary_op(Bit::xor, 0, 0, 0);
test_binary_op(Bit::xor, 0, 1, 1);
test_binary_op(Bit::xor, 1, 0, 1);
test_binary_op(Bit::xor, 1, 1, 0);
fn test_and() {
use tinysnark;
test_binary_op(Bit::and, 0, 0, 0);
test_binary_op(Bit::and, 0, 1, 0);
test_binary_op(Bit::and, 1, 0, 0);
test_binary_op(Bit::and, 1, 1, 1);
@ -1,148 +0,0 @@
use tinysnark::{Proof, Keypair, FieldT, LinearTerm, ConstraintSystem};
use super::variable::{Var,Constraint,WitnessMap,witness_field_elements};
use super::bit::Bit;
pub trait ConstraintWalker: 'static {
fn walk(&self,
counter: &mut usize,
constraints: &mut Vec<Constraint>,
witness_map: &mut WitnessMap);
impl<C: ConstraintWalker> ConstraintWalker for Vec<C> {
fn walk(&self,
counter: &mut usize,
constraints: &mut Vec<Constraint>,
witness_map: &mut WitnessMap)
for i in self {
i.walk(counter, constraints, witness_map);
pub trait Constrainable {
type Result: ConstraintWalker;
fn synthesize(&self, enforce: &Bit) -> Self::Result;
impl<C: Constrainable> Constrainable for Vec<C> {
type Result = Vec<C::Result>;
fn synthesize(&self, enforce: &Bit) -> Vec<C::Result> {
self.iter().map(|a| a.synthesize(enforce)).collect()
pub trait Equals<Rhs: ?Sized> {
type Result: Constrainable;
fn must_equal(&self, other: &Rhs) -> Self::Result;
impl<Lhs, Rhs> Equals<[Rhs]> for [Lhs] where Lhs: Equals<Rhs> {
type Result = Vec<Lhs::Result>;
fn must_equal(&self, other: &[Rhs]) -> Vec<Lhs::Result> {
assert_eq!(self.len(), other.len());
self.iter().zip(other.iter()).map(|(a, b)| a.must_equal(b)).collect()
pub struct Circuit {
public_inputs: usize,
private_inputs: usize,
aux_inputs: usize,
keypair: Keypair,
witness_map: WitnessMap
impl Circuit {
pub fn verify(&self, proof: &Proof, public: &[FieldT]) -> bool
proof.verify(&self.keypair, public)
pub fn prove(&self, public: &[FieldT], private: &[FieldT]) -> Result<Proof, ()>
assert_eq!(public.len(), self.public_inputs);
assert_eq!(private.len(), self.private_inputs);
let mut vars = Vec::new();
for i in 0..self.aux_inputs {
witness_field_elements(&mut vars, &self.witness_map);
let primary = &vars[1..public.len()+1];
let aux = &vars[1+public.len()..];
if !self.keypair.is_satisfied(primary, aux) {
return Err(())
Ok(Proof::new(&self.keypair, primary, aux))
pub struct CircuitBuilder {
public_inputs: usize,
private_inputs: usize,
constraints: Vec<Box<ConstraintWalker>>
impl CircuitBuilder {
pub fn new(num_public: usize, num_private: usize) -> (Vec<Var>, Vec<Var>, CircuitBuilder) {
(0..num_public).map(|x| Var::new(1+x)).collect(),
(0..num_private).map(|x| Var::new(1+num_public+x)).collect(),
CircuitBuilder {
public_inputs: num_public,
private_inputs: num_private,
constraints: Vec::new()
pub fn constrain<C: Constrainable>(&mut self, constraint: C) {
pub fn finalize(self) -> Circuit {
let mut counter = 1 + self.public_inputs + self.private_inputs;
let mut constraints = vec![];
let mut witness_map = WitnessMap::new();
for c in self.constraints.into_iter() {
c.walk(&mut counter, &mut constraints, &mut witness_map);
let mut cs = ConstraintSystem::new(self.public_inputs, (counter - 1) - self.public_inputs);
for Constraint(a, b, c) in constraints {
let a: Vec<_> = a.into_iter().map(|x| LinearTerm { coeff: x.0, index: x.1.index() }).collect();
let b: Vec<_> = b.into_iter().map(|x| LinearTerm { coeff: x.0, index: x.1.index() }).collect();
let c: Vec<_> = c.into_iter().map(|x| LinearTerm { coeff: x.0, index: x.1.index() }).collect();
cs.add_constraint(&a, &b, &c);
let kp = Keypair::new(&cs);
Circuit {
public_inputs: self.public_inputs,
private_inputs: self.private_inputs,
aux_inputs: ((counter - 1) - self.public_inputs) - self.private_inputs,
keypair: kp,
witness_map: witness_map
@ -1,415 +0,0 @@
use super::bit::Bit;
use std::slice::IterMut;
const KECCAKF_RNDC: [u64; 24] =
0x0000000000000001, 0x0000000000008082, 0x800000000000808a,
0x8000000080008000, 0x000000000000808b, 0x0000000080000001,
0x8000000080008081, 0x8000000000008009, 0x000000000000008a,
0x0000000000000088, 0x0000000080008009, 0x000000008000000a,
0x000000008000808b, 0x800000000000008b, 0x8000000000008089,
0x8000000000008003, 0x8000000000008002, 0x8000000000000080,
0x000000000000800a, 0x800000008000000a, 0x8000000080008081,
0x8000000000008080, 0x0000000080000001, 0x8000000080008008
const KECCAKF_ROTC: [usize; 24] =
1, 3, 6, 10, 15, 21, 28, 36, 45, 55, 2, 14,
27, 41, 56, 8, 25, 43, 62, 18, 39, 61, 20, 44
const KECCAKF_PILN: [usize; 24] =
10, 7, 11, 17, 18, 3, 5, 16, 8, 21, 24, 4,
15, 23, 19, 13, 12, 2, 20, 14, 22, 9, 6, 1
fn keccakf(st: &mut [Byte], rounds: usize)
use std::borrow::Borrow;
struct State<B: Borrow<Bit>> {
bits: Vec<B>
impl<'a> State<&'a mut Bit> {
fn new(bytes: &'a mut [Byte]) -> State<&'a mut Bit> {
State {
bits: bytes.iter_mut()
.rev() // Endianness
.flat_map(|b| b.iter_mut())
fn set(&mut self, to: State<Bit>) {
for (a, b) in self.bits.iter_mut()
.zip(to.bits.into_iter()) {
**a = b;
impl From<u64> for State<Bit> {
fn from(num: u64) -> State<Bit> {
fn bit_at(num: u64, i: usize) -> bool {
((num << i) >> 63) == 1
State {
bits: (0..64).map(|i| Bit::constant(bit_at(num, i))).collect()
impl<A: Borrow<Bit>> State<A> {
fn duplicate(&self) -> State<Bit> {
State {
bits: self.bits.iter().map(|a| a.borrow())
.map(|a| (*a).clone())
fn binary_map<F, B>(&self, other: &State<B>, f: F) -> State<Bit>
where F: Fn(&Bit, &Bit) -> Bit, B: Borrow<Bit>
State {
bits: self.bits.iter().map(|a| a.borrow())
.zip(other.bits.iter().map(|a| a.borrow()))
.map(|(a, b)| f(a, b))
fn xor<B: Borrow<Bit>>(&self, other: &State<B>) -> State<Bit> {
self.binary_map(other, Bit::xor)
fn notand<B: Borrow<Bit>>(&self, other: &State<B>) -> State<Bit> {
self.binary_map(other, Bit::notand)
fn rotl(&self, by: usize) -> State<Bit> {
let by = by % 64;
State {
bits: self.bits[by..].iter().map(|a| a.borrow())
.chain(self.bits[0..by].iter().map(|a| a.borrow()))
let mut st: Vec<_> = st.chunks_mut(8).map(|c| State::new(c)).collect();
for round in 0..rounds {
// Theta
for (i = 0; i < 5; i++)
bc[i] = st[i] ^ st[i + 5] ^ st[i + 10] ^ st[i + 15] ^ st[i + 20];
let mut bc: Vec<State<Bit>> = (0..5).map(|i| st[i]
for (i = 0; i < 5; i++) {
t = bc[(i + 4) % 5] ^ ROTL64(bc[(i + 1) % 5], 1);
for (j = 0; j < 25; j += 5)
st[j + i] ^= t;
for i in 0..5 {
let tmp = bc[(i + 4) % 5].xor(&bc[(i + 1) % 5].rotl(1));
for j in (0..25).filter(|a| a % 5 == 0) {
let new = tmp.xor(&st[j + i]);
st[j + i].set(new);
// Rho Pi
t = st[1];
for (i = 0; i < 24; i++) {
j = keccakf_piln[i];
bc[0] = st[j];
st[j] = ROTL64(t, keccakf_rotc[i]);
t = bc[0];
let mut tmp = st[1].duplicate();
for i in 0..24 {
let j = KECCAKF_PILN[i];
bc[0] = st[j].duplicate();
tmp = bc[0].duplicate();
// Chi
for (j = 0; j < 25; j += 5) {
for (i = 0; i < 5; i++)
bc[i] = st[j + i];
for (i = 0; i < 5; i++)
st[j + i] ^= (~bc[(i + 1) % 5]) & bc[(i + 2) % 5];
for j in (0..25).filter(|a| a % 5 == 0) {
for i in 0..5 {
bc[i] = st[j + i].duplicate();
for i in 0..5 {
let n = st[j + i].xor(&bc[(i + 1) % 5].notand(&bc[(i + 2) % 5]));
st[j + i].set(n);
// Iota
st[0] ^= keccakf_rndc[round];
let n = st[0].xor(&KECCAKF_RNDC[round].into());
pub fn sha3_256(message: &[Byte]) -> Vec<Bit> {
// As defined by FIPS202
keccak(1088, 512, message, 0x06, 32, 24)
fn keccak(rate: usize, capacity: usize, mut input: &[Byte], delimited_suffix: u8, mut mdlen: usize, num_rounds: usize)
-> Vec<Bit>
use std::cmp::min;
let mut st: Vec<Byte> = Some(Byte::new(0)).into_iter().cycle().take(200).collect();
let rate_in_bytes = rate / 8;
let mut input_byte_len = input.len();
let mut block_size = 0;
if ((rate + capacity) != 1600) || ((rate % 8) != 0) {
panic!("invalid parameters");
while input_byte_len > 0 {
block_size = min(input_byte_len, rate_in_bytes);
for i in 0..block_size {
st[i] = st[i].xor(&input[i]);
input = &input[block_size..];
input_byte_len -= block_size;
if block_size == rate_in_bytes {
keccakf(&mut st, num_rounds);
block_size = 0;
st[block_size] = st[block_size].xor(&Byte::new(delimited_suffix));
if ((delimited_suffix & 0x80) != 0) && (block_size == (rate_in_bytes-1)) {
keccakf(&mut st, num_rounds);
st[rate_in_bytes-1] = st[rate_in_bytes-1].xor(&Byte::new(0x80));
keccakf(&mut st, num_rounds);
let mut output = Vec::with_capacity(mdlen);
while mdlen > 0 {
block_size = min(mdlen, rate_in_bytes);
mdlen -= block_size;
if mdlen > 0 {
keccakf(&mut st, num_rounds);
output.into_iter().flat_map(|byte| byte.bits.into_iter()).collect()
fn test_sha3_256() {
use super::circuit::{CircuitBuilder,Equals};
use super::variable::Var;
use tinysnark::{self,FieldT};
let test_vector: Vec<(Vec<u8>, [u8; 32])> = vec![
(vec![0x30, 0x31, 0x30, 0x31],
((0..64).map(|_| 0x30).collect::<Vec<_>>(),
((0..128).map(|_| 0x30).collect::<Vec<_>>(),
((0..256).map(|_| 0x30).collect::<Vec<_>>(),
((0..512).map(|_| 0x30).collect::<Vec<_>>(),
((0..64).map(|_| 0x00).collect::<Vec<_>>(),
for (i, &(ref message, ref expected)) in test_vector.iter().enumerate() {
let message: Vec<Byte> = message.iter().map(|a| Byte::new(*a)).collect();
let result: Vec<u8> = sha3_256(&message)
.map(|a| Byte::from(a))
.map(|a| a.unwrap_constant())
if &*result != expected {
print!("Got: ");
for i in result.iter() {
print!("0x{:02x},", i);
print!("\nExpected: ");
for i in expected.iter() {
print!("0x{:02x},", i);
panic!("Hash {} failed!", i+1);
} else {
println!("--- HASH {} SUCCESS ---", i+1);
for (i, &(ref message, ref expected)) in test_vector.iter().enumerate() {
fn into_bytes(a: &[Var]) -> Vec<Byte> {
let a: Vec<_> = a.into_iter().map(|a| Bit::new(a)).collect();
a.chunks(8).map(|a| Byte::from(a)).collect()
fn into_fieldt(a: &[u8], vars: &mut [FieldT]) {
let mut counter = 0;
for byte in a {
for bit in (0..8).map(|i| byte & (1 << i) != 0).rev() {
if bit { vars[counter] = FieldT::one() } else { vars[counter] = FieldT::zero() }
counter += 1;
let (public, private, mut circuit) = CircuitBuilder::new(expected.len() * 8, message.len() * 8);
let private = into_bytes(&private);
let circuit = circuit.finalize();
let mut input: Vec<FieldT> = (0..message.len() * 8).map(|_| FieldT::zero()).collect();
let mut output: Vec<FieldT> = (0..expected.len() * 8).map(|_| FieldT::zero()).collect();
into_fieldt(message, &mut input);
into_fieldt(expected, &mut output);
let proof = circuit.prove(&output, &input).unwrap();
assert!(circuit.verify(&proof, &output));
pub struct Byte {
bits: Vec<Bit>
impl<'a> From<&'a [Bit]> for Byte {
fn from(a: &'a [Bit]) -> Byte {
assert_eq!(8, a.len());
Byte {
bits: a.to_owned()
impl Byte {
pub fn bits(&self) -> Vec<Bit> {
pub fn new(byte: u8) -> Byte {
Byte {
bits: (0..8).map(|i| Bit::constant(byte & (1 << i) != 0))
pub fn iter_mut(&mut self) -> IterMut<Bit> {
pub fn unwrap_constant(&self) -> u8 {
let mut cur = 7;
let mut acc = 0;
for bit in &self.bits {
match bit {
&Bit::Constant(true) => {
acc |= 1 << cur;
&Bit::Constant(false) => {},
_ => panic!("Tried to unwrap a constant from a non-constant")
cur -= 1;
pub fn xor(&self, other: &Byte) -> Byte {
Byte {
bits: self.bits.iter()
.map(|(a, b)| a.xor(b))
Normal file
Normal file
@ -1,19 +0,0 @@
#![feature(iter_arith, btree_range, collections_bound)]
extern crate tinysnark;
extern crate rand;
use tinysnark::{Proof, Keypair, FieldT, LinearTerm, ConstraintSystem};
use variable::*;
use circuit::*;
use keccak::*;
use bit::*;
mod variable;
mod keccak;
mod bit;
mod circuit;
fn main() {
@ -1,178 +0,0 @@
use tinysnark::FieldT;
use std::cell::Cell;
use std::rc::Rc;
use std::collections::BTreeMap;
use super::circuit::ConstraintWalker;
pub type WitnessMap = BTreeMap<usize, Vec<(Vec<usize>, Vec<usize>, Rc<Fn(&mut VariableView) + 'static>)>>;
struct VariableView<'a> {
vars: &'a mut [FieldT],
inputs: &'a [usize],
outputs: &'a [usize]
impl<'a> VariableView<'a> {
/// Sets an output variable at `index` to value `to`.
pub fn set_output(&mut self, index: usize, to: FieldT) {
self.vars[self.outputs[index]] = to;
/// Gets the value of an input variable at `index`.
pub fn get_input(&self, index: usize) -> FieldT {
/// Sets the value of an input variable. This is unsafe
/// because theoretically this should not be necessary,
/// and could cause soundness problems, but I've temporarily
/// done this to make testing easier.
pub fn set_input(&mut self, index: usize, to: FieldT) {
self.vars[self.inputs[index]] = to;
use std::collections::Bound::Unbounded;
pub fn witness_field_elements(vars: &mut [FieldT], witness_map: &WitnessMap) {
for (n, group) in witness_map.range(Unbounded, Unbounded) {
for &(ref i, ref o, ref f) in group.iter() {
let mut vars = VariableView {
vars: vars,
inputs: &*i,
outputs: &*o
f(&mut vars);
pub struct Constraint(pub Vec<(FieldT, Var)>, pub Vec<(FieldT, Var)>, pub Vec<(FieldT, Var)>);
struct Gadget {
inputs: Vec<Var>,
aux: Vec<Var>,
witness: Rc<Fn(&mut VariableView) + 'static>,
constraints: Vec<Constraint>,
group: usize,
visited: Cell<bool>
impl Gadget {
pub fn walk(&self, counter: &mut usize, constraints: &mut Vec<Constraint>, witness_map: &mut WitnessMap) {
if self.visited.get() {
for a in &self.aux {
assert!(a.index.get() == 0);
*counter += 1;
for i in &self.inputs {
i.walk(counter, constraints, witness_map);
let input_indexes = self.inputs.iter().map(|i| i.index.get()).collect();
let output_indexes = self.aux.iter().map(|i| i.index.get()).collect();
.or_insert_with(|| Vec::new())
.push((input_indexes, output_indexes, self.witness.clone()));
pub struct Var {
index: Rc<Cell<usize>>,
gadget: Option<Rc<Gadget>>
impl Var {
// todo: make this not public
pub fn new(i: usize) -> Var {
Var {
index: Rc::new(Cell::new(i)),
gadget: None
pub fn one() -> Var {
Var {
index: Rc::new(Cell::new(0)),
gadget: None
pub fn index(&self) -> usize {
pub fn val(&self, map: &[FieldT]) -> FieldT {
let index = self.index.get();
assert!(index != 0);
fn group(&self) -> usize {
match self.gadget {
None => 0,
Some(ref g) => g.group
impl ConstraintWalker for Var {
fn walk(&self, counter: &mut usize, constraints: &mut Vec<Constraint>, witness_map: &mut WitnessMap) {
match self.gadget {
None => {},
Some(ref g) => g.walk(counter, constraints, witness_map)
pub fn gadget<W, C>(
inputs: &[&Var],
aux: usize,
witness: W,
constrain: C
) -> Vec<Var>
where C: for<'a> Fn(&[&'a Var], &[&'a Var], &mut Vec<Constraint>) -> Vec<&'a Var>,
W: Fn(&mut VariableView) + 'static
let this_group = inputs.iter().map(|i| i.group()).max().map(|a| a+1).unwrap_or(0);
let aux: Vec<_> = (0..aux).map(|_| Var::new(0)).collect();
let aux: Vec<_> = aux.iter().collect();
let mut constraints = vec![];
let outputs = constrain(inputs, &*aux, &mut constraints);
let gadget = Rc::new(Gadget {
inputs: inputs.iter().map(|a| (*a).clone()).collect(),
aux: aux.iter().map(|a| (*a).clone()).collect(),
witness: Rc::new(witness),
constraints: constraints,
group: this_group,
visited: Cell::new(false)
outputs.into_iter().map(|a| {
let mut a = (*a).clone();
// TODO: we should augment the gadget instead
// of replacing it
a.gadget = Some(gadget.clone());
@ -1,2 +0,0 @@
@ -1,16 +0,0 @@
authors = ["Sean Bowe <ewillbefull@gmail.com>"]
build = "build.rs"
description = "Tiny libsnark bindings"
documentation = "https://github.com/ebfull/bellman"
homepage = "https://github.com/ebfull/bellman"
license = "MIT"
name = "tinysnark"
repository = "https://github.com/ebfull/bellman"
version = "0.0.1"
gcc = "0.3"
libc = "0.2.4"
@ -1 +0,0 @@
This is a tiny wrapper around libsnark's r1cs_ppzksnark on ALT_BN128.
@ -1,40 +0,0 @@
extern crate gcc;
fn main() {
// we don't need ate-pairing for ALT_BN128, but
// i'll keep this in case i need it for some reason...
let mut cfg = gcc::Config::new();
.define("BN_SUPPORT_SNARK", None)
let mut cfg = gcc::Config::new();
.define("NO_PROCPS", None)
.define("STATIC", None)
.define("CURVE_ALT_BN128", None)
@ -1 +0,0 @@
Subproject commit 0b928a7b36717db6f67ff7e1e34dfa3bfaee1c97
@ -1,98 +0,0 @@
use libc::{c_ulong, c_long};
use std::ops::{Neg, Add, Mul};
extern "C" {
fn tinysnark_fieldt_zero() -> FieldT;
fn tinysnark_fieldt_one() -> FieldT;
fn tinysnark_fieldt_neg(val: FieldT) -> FieldT;
fn tinysnark_fieldt_inverse(val: FieldT) -> FieldT;
fn tinysnark_fieldt_from_long(val: c_long) -> FieldT;
fn tinysnark_long_from_fieldt(val: FieldT) -> c_ulong;
fn tinysnark_fieldt_mul(a: FieldT, b: FieldT) -> FieldT;
fn tinysnark_fieldt_add(a: FieldT, b: FieldT) -> FieldT;
#[derive(Copy, Clone, Debug)]
struct EightBytes(u64);
#[derive(Copy, Clone, Debug)]
pub struct FieldT([u8; 32], [EightBytes; 0]);
impl FieldT {
pub fn one() -> FieldT {
unsafe { tinysnark_fieldt_one() }
pub fn zero() -> FieldT {
unsafe { tinysnark_fieldt_zero() }
pub fn inverse(self) -> FieldT {
unsafe { tinysnark_fieldt_inverse(self) }
pub fn debug_equal(&self, is: [u8; 32]) -> bool {
&FieldT(is, []) == self
impl From<i64> for FieldT {
fn from(num: i64) -> FieldT {
unsafe { tinysnark_fieldt_from_long(num) }
impl From<FieldT> for u64 {
fn from(num: FieldT) -> u64 {
unsafe { tinysnark_long_from_fieldt(num) }
impl Neg for FieldT {
type Output = FieldT;
fn neg(self) -> FieldT {
unsafe { tinysnark_fieldt_neg(self) }
impl Add for FieldT {
type Output = FieldT;
fn add(self, other: FieldT) -> FieldT {
unsafe { tinysnark_fieldt_add(self, other) }
impl Mul for FieldT {
type Output = FieldT;
fn mul(self, other: FieldT) -> FieldT {
unsafe { tinysnark_fieldt_mul(self, other) }
impl PartialEq for FieldT {
fn eq(&self, other: &FieldT) -> bool {
for i in 0..32 {
if (self.0)[i] != (other.0)[i] {
return false;
impl Eq for FieldT { }
@ -1,156 +0,0 @@
#![feature(box_syntax, repr_simd)]
//#![cfg_attr(test, feature(test))]
extern crate libc;
mod arith;
mod r1cs;
pub use self::arith::*;
pub use self::r1cs::*;
use std::sync::{Once, ONCE_INIT};
static START: Once = ONCE_INIT;
static mut INITIALIZED: bool = false;
extern "C" {
fn tinysnark_init_public_params();
pub fn tinysnark_test();
pub fn init() {
START.call_once(|| {
unsafe { tinysnark_init_public_params(); }
unsafe { INITIALIZED = true; }
pub fn is_initialized() -> bool {
unsafe { INITIALIZED }
mod tests {
//extern crate test;
use super::{init, FieldT, Proof, Keypair, LinearTerm, ConstraintSystem};
//use self::test::Bencher;
fn test_zk() {
fn test_cs_and_prove<N: Into<FieldT> + Copy>(cs: &ConstraintSystem, primary: &[N], aux: &[N]) -> bool
let primary: Vec<FieldT> = primary.iter().map(|n| (*n).into()).collect();
let aux: Vec<FieldT> = aux.iter().map(|n| (*n).into()).collect();
if !cs.test(&primary, &aux) {
return false;
let kp = Keypair::new(cs);
let proof = Proof::new(&kp, &primary, &aux);
// If we construct a proof, it should be impossible
// that it doesn't verify.
assert!(proof.verify(&kp, &primary));
return true;
let mut cs = ConstraintSystem::new(1, 2);
// zkpok { (a, b) c = a * b }
&[LinearTerm{coeff: FieldT::one(), index: 2}],
&[LinearTerm{coeff: FieldT::one(), index: 3}],
&[LinearTerm{coeff: FieldT::one(), index: 1}]
assert!(test_cs_and_prove(&cs, &[1], &[1, 1]));
assert!(test_cs_and_prove(&cs, &[0], &[0, 1]));
assert!(test_cs_and_prove(&cs, &[10], &[5, 2]));
assert!(!test_cs_and_prove(&cs, &[10], &[6, 2]));
let mut cs = ConstraintSystem::new(0, 1);
// simple boolean constraint
// (1-x) * x = 0
&[LinearTerm{coeff: FieldT::one(), index: 0},
LinearTerm{coeff: -FieldT::one(), index: 1}],
&[LinearTerm{coeff: FieldT::one(), index: 1}],
&[LinearTerm{coeff: FieldT::zero(), index: 0}]
assert!(test_cs_and_prove(&cs, &[], &[0]));
assert!(test_cs_and_prove(&cs, &[], &[1]));
assert!(!test_cs_and_prove(&cs, &[], &[2]));
let mut cs = ConstraintSystem::new(2, 1);
// boolean + xor
&[LinearTerm{coeff: FieldT::one(), index: 0},
LinearTerm{coeff: -FieldT::one(), index: 3}],
&[LinearTerm{coeff: FieldT::one(), index: 3}],
&[LinearTerm{coeff: FieldT::zero(), index: 0}]
&[LinearTerm{coeff: FieldT::from(2), index: 2}],
&[LinearTerm{coeff: FieldT::one(), index: 3}],
&[LinearTerm{coeff: FieldT::one(), index: 2},
LinearTerm{coeff: FieldT::one(), index: 3},
LinearTerm{coeff: -FieldT::one(), index: 1}]
assert!(test_cs_and_prove(&cs, &[0, 0], &[0]));
assert!(test_cs_and_prove(&cs, &[1, 1], &[0]));
assert!(test_cs_and_prove(&cs, &[1, 0], &[1]));
assert!(test_cs_and_prove(&cs, &[0, 1], &[1]));
assert!(!test_cs_and_prove(&cs, &[0, 1], &[100]));
fn test_one() {
let one = FieldT::one();
let negone = -one;
let newone = -negone;
assert!(one == newone);
assert!(one != negone);
assert!(newone != negone);
assert_eq!(one, 1.into());
assert_eq!(negone, (-1).into());
assert!(one.debug_equal([251, 255, 255, 79, 28, 52, 150, 172, 41, 205, 96, 159, 149, 118, 252, 54, 46, 70, 121, 120, 111, 163, 110, 102, 47, 223, 7, 154, 193, 119, 10, 14]));
assert!(negone.debug_equal([6, 0, 0, 160, 119, 193, 75, 151, 103, 163, 88, 218, 178, 113, 55, 241, 46, 18, 8, 9, 71, 162, 225, 81, 250, 192, 41, 71, 177, 214, 89, 34]));
fn test_math() {
assert_eq!(FieldT::one() + 10.into(), 11.into());
assert_eq!(FieldT::from(2) + 2.into(), FieldT::from(2) * 2.into());
assert_eq!(FieldT::from(2), FieldT::from(-1) + FieldT::one() * 3.into());
assert_eq!(FieldT::one(), FieldT::from(100) * FieldT::from(100).inverse());
fn test_conversions() {
for i in 0..10000 {
let num: FieldT = i.into();
let back: u64 = num.into();
assert_eq!(i, back as i64);
assert_eq!(u64::from(FieldT::from(-1)), 4891460686036598784);
@ -1,158 +0,0 @@
use libc::{size_t};
use super::arith::FieldT;
struct R1ConstraintSystem;
pub struct LinearTerm {
pub coeff: FieldT,
pub index: size_t
extern "C" {
fn tinysnark_new_r1cs(primary: size_t, aux: size_t) -> *mut R1ConstraintSystem;
fn tinysnark_drop_r1cs(cs: *mut R1ConstraintSystem);
fn tinysnark_satisfy_test(cs: *mut R1ConstraintSystem, primary: *const FieldT, aux: *const FieldT) -> bool;
fn tinysnark_add_constraint(cs: *mut R1ConstraintSystem,
a: *const LinearTerm,
a_len: size_t,
b: *const LinearTerm,
b_len: size_t,
c: *const LinearTerm,
c_len: size_t
pub struct ConstraintSystem {
cs: *mut R1ConstraintSystem,
primary_size: usize,
aux_size: usize
impl Drop for ConstraintSystem {
fn drop(&mut self) {
unsafe { tinysnark_drop_r1cs(self.cs) }
impl ConstraintSystem {
pub fn new(primary_size: usize, aux_size: usize) -> ConstraintSystem {
ConstraintSystem {
cs: unsafe { tinysnark_new_r1cs(primary_size, aux_size) },
primary_size: primary_size,
aux_size: aux_size
pub fn add_constraint(&mut self, a: &[LinearTerm], b: &[LinearTerm], c: &[LinearTerm])
unsafe {
pub fn test(&self, primary: &[FieldT], aux: &[FieldT]) -> bool
assert_eq!(primary.len(), self.primary_size);
assert_eq!(aux.len(), self.aux_size);
unsafe {
tinysnark_satisfy_test(self.cs, primary.get_unchecked(0), aux.get_unchecked(0))
struct R1CSKeypair;
pub struct Keypair {
kp: *mut R1CSKeypair,
primary_size: usize,
aux_size: usize
impl Keypair {
pub fn new(constraint_system: &ConstraintSystem) -> Keypair {
Keypair {
kp: unsafe { tinysnark_gen_keypair(constraint_system.cs) },
primary_size: constraint_system.primary_size,
aux_size: constraint_system.aux_size
pub fn is_satisfied(&self, primary: &[FieldT], aux: &[FieldT]) -> bool {
assert_eq!(primary.len(), self.primary_size);
assert_eq!(aux.len(), self.aux_size);
unsafe {
tinysnark_keypair_satisfies_test(self.kp, primary.get_unchecked(0), aux.get_unchecked(0))
impl Drop for Keypair {
fn drop(&mut self) {
unsafe { tinysnark_drop_keypair(self.kp) }
extern "C" {
fn tinysnark_gen_keypair(cs: *mut R1ConstraintSystem) -> *mut R1CSKeypair;
fn tinysnark_drop_keypair(cs: *mut R1CSKeypair);
fn tinysnark_keypair_satisfies_test(kp: *mut R1CSKeypair, primary: *const FieldT, aux: *const FieldT) -> bool;
struct R1CSProof;
pub struct Proof {
proof: *mut R1CSProof
impl Proof {
pub fn new(keypair: &Keypair, primary: &[FieldT], aux: &[FieldT])
-> Proof
assert_eq!(primary.len(), keypair.primary_size);
assert_eq!(aux.len(), keypair.aux_size);
unsafe {
Proof {
proof: tinysnark_gen_proof(keypair.kp, primary.get_unchecked(0), aux.get_unchecked(0))
pub fn verify(&self, keypair: &Keypair, primary: &[FieldT]) -> bool {
assert_eq!(primary.len(), keypair.primary_size);
unsafe {
tinysnark_verify_proof(self.proof, keypair.kp, primary.get_unchecked(0))
impl Drop for Proof {
fn drop(&mut self) {
unsafe { tinysnark_drop_proof(self.proof) }
extern "C" {
fn tinysnark_gen_proof(keypair: *mut R1CSKeypair,
primary: *const FieldT,
aux: *const FieldT) -> *mut R1CSProof;
fn tinysnark_verify_proof(proof: *mut R1CSProof,
keypair: *mut R1CSKeypair,
primary: *const FieldT) -> bool;
fn tinysnark_drop_proof(proof: *mut R1CSProof);
@ -1,213 +0,0 @@
This is a wrapper around libsnark which provides basic R1CS
zk-SNARK support using the ALT_BN128 curve.
#include "gadgetlib1/gadgets/basic_gadgets.hpp"
#include "zk_proof_systems/ppzksnark/r1cs_ppzksnark/r1cs_ppzksnark.hpp"
#include "common/default_types/r1cs_ppzksnark_pp.hpp"
#include "common/utils.hpp"
#include "gadgetlib1/gadgets/hashes/sha256/sha256_gadget.hpp"
using namespace libsnark;
using namespace std;
typedef Fr<default_r1cs_ppzksnark_pp> FieldT;
struct tinysnark_linear_term {
FieldT coeff;
size_t index;
extern "C" void * tinysnark_gen_proof(void * kp, FieldT* primary, FieldT* aux) {
r1cs_ppzksnark_keypair<default_r1cs_ppzksnark_pp>* keypair = static_cast<r1cs_ppzksnark_keypair<default_r1cs_ppzksnark_pp>*>(kp);
r1cs_primary_input<FieldT> primary_input(primary, primary+(keypair->pk.constraint_system.primary_input_size));
r1cs_auxiliary_input<FieldT> aux_input(aux, aux+(keypair->pk.constraint_system.auxiliary_input_size));
auto proof = new r1cs_ppzksnark_proof<default_r1cs_ppzksnark_pp>(
r1cs_ppzksnark_prover<default_r1cs_ppzksnark_pp>(keypair->pk, primary_input, aux_input)
return static_cast<void*>(std::move(proof));
extern "C" bool tinysnark_verify_proof(void * iproof, void * kp, FieldT* primary) {
r1cs_ppzksnark_proof<default_r1cs_ppzksnark_pp>* proof = static_cast<r1cs_ppzksnark_proof<default_r1cs_ppzksnark_pp>*>(iproof);
r1cs_ppzksnark_keypair<default_r1cs_ppzksnark_pp>* keypair = static_cast<r1cs_ppzksnark_keypair<default_r1cs_ppzksnark_pp>*>(kp);
r1cs_primary_input<FieldT> primary_input(primary, primary+(keypair->pk.constraint_system.primary_input_size));
return r1cs_ppzksnark_verifier_strong_IC<default_r1cs_ppzksnark_pp>(keypair->vk, primary_input, *proof);
extern "C" void * tinysnark_drop_proof(void * proof) {
r1cs_ppzksnark_proof<default_r1cs_ppzksnark_pp>* p = static_cast<r1cs_ppzksnark_proof<default_r1cs_ppzksnark_pp>*>(proof);
delete p;
extern "C" void * tinysnark_gen_keypair(void * ics) {
r1cs_constraint_system<FieldT>* cs = static_cast<r1cs_constraint_system<FieldT>*>(ics);
auto keypair = new r1cs_ppzksnark_keypair<default_r1cs_ppzksnark_pp>(
return static_cast<void*>(std::move(keypair));
extern "C" void * tinysnark_drop_keypair(void * kp) {
r1cs_ppzksnark_keypair<default_r1cs_ppzksnark_pp>* k = static_cast<r1cs_ppzksnark_keypair<default_r1cs_ppzksnark_pp>*>(kp);
delete k;
extern "C" void * tinysnark_new_r1cs(size_t primary_size, size_t aux_size) {
auto cs = new r1cs_constraint_system<FieldT>();
cs->primary_input_size = primary_size;
cs->auxiliary_input_size = aux_size;
return static_cast<void*>(std::move(cs));
extern "C" void tinysnark_drop_r1cs(void * ics) {
r1cs_constraint_system<FieldT>* cs = static_cast<r1cs_constraint_system<FieldT>*>(ics);
delete cs;
extern "C" bool tinysnark_keypair_satisfies_test(void * kp, FieldT* primary, FieldT* aux)
r1cs_ppzksnark_keypair<default_r1cs_ppzksnark_pp>* keypair = static_cast<r1cs_ppzksnark_keypair<default_r1cs_ppzksnark_pp>*>(kp);
r1cs_constraint_system<FieldT>* cs = &keypair->pk.constraint_system;
r1cs_primary_input<FieldT> primary_input(primary, primary+(cs->primary_input_size));
r1cs_auxiliary_input<FieldT> aux_input(aux, aux+(cs->auxiliary_input_size));
return cs->is_valid() && cs->is_satisfied(primary_input, aux_input);
extern "C" bool tinysnark_satisfy_test(void * ics, FieldT* primary, FieldT* aux) {
r1cs_constraint_system<FieldT>* cs = static_cast<r1cs_constraint_system<FieldT>*>(ics);
r1cs_primary_input<FieldT> primary_input(primary, primary+(cs->primary_input_size));
r1cs_auxiliary_input<FieldT> aux_input(aux, aux+(cs->auxiliary_input_size));
return cs->is_valid() && cs->is_satisfied(primary_input, aux_input);
extern "C" void * tinysnark_add_constraint(
void * ics,
tinysnark_linear_term * a_terms,
size_t a_terms_len,
tinysnark_linear_term * b_terms,
size_t b_terms_len,
tinysnark_linear_term * c_terms,
size_t c_terms_len
) {
r1cs_constraint_system<FieldT>* cs = static_cast<r1cs_constraint_system<FieldT>*>(ics);
std::vector<linear_term<FieldT>> a;
std::vector<linear_term<FieldT>> b;
std::vector<linear_term<FieldT>> c;
for (size_t i = 0; i < a_terms_len; i++) {
FieldT coeff = a_terms[i].coeff;
size_t index = a_terms[i].index;
a.push_back(linear_term<FieldT>(variable<FieldT>(index), coeff));
for (size_t i = 0; i < b_terms_len; i++) {
FieldT coeff = b_terms[i].coeff;
size_t index = b_terms[i].index;
b.push_back(linear_term<FieldT>(variable<FieldT>(index), coeff));
for (size_t i = 0; i < c_terms_len; i++) {
FieldT coeff = c_terms[i].coeff;
size_t index = c_terms[i].index;
c.push_back(linear_term<FieldT>(variable<FieldT>(index), coeff));
linear_combination<FieldT> a_lc(a);
linear_combination<FieldT> b_lc(b);
linear_combination<FieldT> c_lc(c);
r1cs_constraint<FieldT> constraint(a_lc, b_lc, c_lc);
extern "C" FieldT tinysnark_fieldt_mul(FieldT a, FieldT b) {
return a * b;
extern "C" FieldT tinysnark_fieldt_add(FieldT a, FieldT b) {
return a + b;
extern "C" unsigned long tinysnark_long_from_fieldt(FieldT num) {
return num.as_bigint().as_ulong();
extern "C" FieldT tinysnark_fieldt_from_long(long num) {
return FieldT(num);
extern "C" FieldT tinysnark_fieldt_one() {
return FieldT::one();
extern "C" FieldT tinysnark_fieldt_zero() {
return FieldT::zero();
extern "C" FieldT tinysnark_fieldt_neg(FieldT val) {
return -val;
extern "C" FieldT tinysnark_fieldt_inverse(FieldT val) {
return val.inverse();
extern "C" void tinysnark_init_public_params() {
auto p = FieldT::one();
assert(sizeof(p) == 32);
extern "C" void tinysnark_test() {
typedef Fr<default_r1cs_ppzksnark_pp> FieldT;
protoboard<FieldT> pb;
auto input_bits = new digest_variable<FieldT>(pb, 512, "input_bits");
auto output_bits = new digest_variable<FieldT>(pb, 256, "output_bits");
auto input_block = new block_variable<FieldT>(pb, {
}, "input_block");
auto IV = SHA256_default_IV(pb);
auto sha256 = new sha256_compression_function_gadget<FieldT>(pb,
const r1cs_constraint_system<FieldT> constraint_system = pb.get_constraint_system();
cout << "Number of R1CS constraints: " << constraint_system.num_constraints() << endl;
Reference in New Issue
Block a user