diff --git a/Cargo.toml b/Cargo.toml index 18319430e..a60e13894 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -16,7 +16,7 @@ features = ["expose-arith"] rand = "0.3" blake2 = "0.7" digest = "0.7" -bellman = "0.0.7" +bellman = "0.0.8" [features] default = ["u128-support"] diff --git a/src/circuit/boolean.rs b/src/circuit/boolean.rs index 6b5b9cd95..24dd4bd1e 100644 --- a/src/circuit/boolean.rs +++ b/src/circuit/boolean.rs @@ -55,9 +55,9 @@ impl AllocatedBit { let one = cs.one(); cs.enforce( || "boolean constraint", - LinearCombination::zero() + one - var, - LinearCombination::zero() + var, - LinearCombination::zero() + |lc| lc + one - var, + |lc| lc + var, + |lc| lc ); Ok(AllocatedBit { @@ -107,9 +107,9 @@ impl AllocatedBit { // (a + a) * b = a + b - c cs.enforce( || "xor constraint", - LinearCombination::zero() + a.variable + a.variable, - LinearCombination::zero() + b.variable, - LinearCombination::zero() + a.variable + b.variable - result_var + |lc| lc + a.variable + a.variable, + |lc| lc + b.variable, + |lc| lc + a.variable + b.variable - result_var ); Ok(AllocatedBit { @@ -146,9 +146,9 @@ impl AllocatedBit { // a AND b are both 1. cs.enforce( || "and constraint", - LinearCombination::zero() + a.variable, - LinearCombination::zero() + b.variable, - LinearCombination::zero() + result_var + |lc| lc + a.variable, + |lc| lc + b.variable, + |lc| lc + result_var ); Ok(AllocatedBit { @@ -185,9 +185,9 @@ impl AllocatedBit { let one = cs.one(); cs.enforce( || "and not constraint", - LinearCombination::zero() + a.variable, - LinearCombination::zero() + one - b.variable, - LinearCombination::zero() + result_var + |lc| lc + a.variable, + |lc| lc + one - b.variable, + |lc| lc + result_var ); Ok(AllocatedBit { @@ -224,9 +224,9 @@ impl AllocatedBit { let one = cs.one(); cs.enforce( || "nor constraint", - LinearCombination::zero() + one - a.variable, - LinearCombination::zero() + one - b.variable, - LinearCombination::zero() + result_var + |lc| lc + one - a.variable, + |lc| lc + one - b.variable, + |lc| lc + result_var ); Ok(AllocatedBit { @@ -401,9 +401,9 @@ impl Boolean { Boolean::Is(ref res) => { cs.enforce( || "enforce nand", - LinearCombination::zero(), - LinearCombination::zero(), - LinearCombination::zero() + res.get_variable() + |lc| lc, + |lc| lc, + |lc| lc + res.get_variable() ); Ok(()) @@ -412,9 +412,9 @@ impl Boolean { let one = cs.one(); cs.enforce( || "enforce nand", - LinearCombination::zero(), - LinearCombination::zero(), - LinearCombination::zero() + one - res.get_variable() + |lc| lc, + |lc| lc, + |lc| lc + one - res.get_variable() ); Ok(()) diff --git a/src/circuit/lookup.rs b/src/circuit/lookup.rs index d44d5d36f..77783ba3f 100644 --- a/src/circuit/lookup.rs +++ b/src/circuit/lookup.rs @@ -3,8 +3,7 @@ use super::*; use super::num::AllocatedNum; use super::boolean::Boolean; use bellman::{ - ConstraintSystem, - LinearCombination + ConstraintSystem }; // Synthesize the constants for each base pattern. @@ -89,30 +88,30 @@ pub fn lookup3_xy( cs.enforce( || "x-coordinate lookup", - LinearCombination::::zero() + (x_coeffs[0b001], one) - + &bits[1].lc::(one, x_coeffs[0b011]) - + &bits[2].lc::(one, x_coeffs[0b101]) - + &precomp.lc::(one, x_coeffs[0b111]), - LinearCombination::::zero() + &bits[0].lc::(one, E::Fr::one()), - LinearCombination::::zero() + res_x.get_variable() - - (x_coeffs[0b000], one) - - &bits[1].lc::(one, x_coeffs[0b010]) - - &bits[2].lc::(one, x_coeffs[0b100]) - - &precomp.lc::(one, x_coeffs[0b110]), + |lc| lc + (x_coeffs[0b001], one) + + &bits[1].lc::(one, x_coeffs[0b011]) + + &bits[2].lc::(one, x_coeffs[0b101]) + + &precomp.lc::(one, x_coeffs[0b111]), + |lc| lc + &bits[0].lc::(one, E::Fr::one()), + |lc| lc + res_x.get_variable() + - (x_coeffs[0b000], one) + - &bits[1].lc::(one, x_coeffs[0b010]) + - &bits[2].lc::(one, x_coeffs[0b100]) + - &precomp.lc::(one, x_coeffs[0b110]), ); cs.enforce( || "y-coordinate lookup", - LinearCombination::::zero() + (y_coeffs[0b001], one) - + &bits[1].lc::(one, y_coeffs[0b011]) - + &bits[2].lc::(one, y_coeffs[0b101]) - + &precomp.lc::(one, y_coeffs[0b111]), - LinearCombination::::zero() + &bits[0].lc::(one, E::Fr::one()), - LinearCombination::::zero() + res_y.get_variable() - - (y_coeffs[0b000], one) - - &bits[1].lc::(one, y_coeffs[0b010]) - - &bits[2].lc::(one, y_coeffs[0b100]) - - &precomp.lc::(one, y_coeffs[0b110]), + |lc| lc + (y_coeffs[0b001], one) + + &bits[1].lc::(one, y_coeffs[0b011]) + + &bits[2].lc::(one, y_coeffs[0b101]) + + &precomp.lc::(one, y_coeffs[0b111]), + |lc| lc + &bits[0].lc::(one, E::Fr::one()), + |lc| lc + res_y.get_variable() + - (y_coeffs[0b000], one) + - &bits[1].lc::(one, y_coeffs[0b010]) + - &bits[2].lc::(one, y_coeffs[0b100]) + - &precomp.lc::(one, y_coeffs[0b110]), ); Ok((res_x, res_y)) @@ -172,22 +171,22 @@ pub fn lookup3_xy_with_conditional_negation( cs.enforce( || "x-coordinate lookup", - LinearCombination::::zero() + (x_coeffs[0b01], one) - + &bits[1].lc::(one, x_coeffs[0b11]), - LinearCombination::::zero() + &bits[0].lc::(one, E::Fr::one()), - LinearCombination::::zero() + res_x.get_variable() - - (x_coeffs[0b00], one) - - &bits[1].lc::(one, x_coeffs[0b10]) + |lc| lc + (x_coeffs[0b01], one) + + &bits[1].lc::(one, x_coeffs[0b11]), + |lc| lc + &bits[0].lc::(one, E::Fr::one()), + |lc| lc + res_x.get_variable() + - (x_coeffs[0b00], one) + - &bits[1].lc::(one, x_coeffs[0b10]) ); cs.enforce( || "y-coordinate lookup", - LinearCombination::::zero() + (y_coeffs[0b01], one) - + &bits[1].lc::(one, y_coeffs[0b11]), - LinearCombination::::zero() + &bits[0].lc::(one, E::Fr::one()), - LinearCombination::::zero() + res_y.get_variable() - - (y_coeffs[0b00], one) - - &bits[1].lc::(one, y_coeffs[0b10]) + |lc| lc + (y_coeffs[0b01], one) + + &bits[1].lc::(one, y_coeffs[0b11]), + |lc| lc + &bits[0].lc::(one, E::Fr::one()), + |lc| lc + res_y.get_variable() + - (y_coeffs[0b00], one) + - &bits[1].lc::(one, y_coeffs[0b10]) ); let final_y = res_y.conditionally_negate(&mut cs, &bits[2])?; diff --git a/src/circuit/mont.rs b/src/circuit/mont.rs index 0141c8ea7..d76b97de2 100644 --- a/src/circuit/mont.rs +++ b/src/circuit/mont.rs @@ -5,8 +5,7 @@ use pairing::{ use bellman::{ SynthesisError, - ConstraintSystem, - LinearCombination + ConstraintSystem }; use super::{ @@ -122,9 +121,9 @@ impl EdwardsPoint { let one = cs.one(); cs.enforce( || "x' computation", - LinearCombination::::zero() + self.x.get_variable(), - condition.lc(one, E::Fr::one()), - LinearCombination::::zero() + x_prime.get_variable() + |lc| lc + self.x.get_variable(), + |_| condition.lc(one, E::Fr::one()), + |lc| lc + x_prime.get_variable() ); // Compute y' = self.y if condition, and 1 otherwise @@ -141,9 +140,9 @@ impl EdwardsPoint { // if condition is 1, y' must be y cs.enforce( || "y' computation", - LinearCombination::::zero() + self.y.get_variable(), - condition.lc(one, E::Fr::one()), - LinearCombination::::zero() + y_prime.get_variable() + |lc| lc + self.y.get_variable(), + |_| condition.lc(one, E::Fr::one()), + |lc| lc + y_prime.get_variable() - &condition.not().lc(one, E::Fr::one()) ); @@ -225,11 +224,11 @@ impl EdwardsPoint { let one = cs.one(); cs.enforce( || "on curve check", - LinearCombination::zero() - x2.get_variable() - + y2.get_variable(), - LinearCombination::zero() + one, - LinearCombination::zero() + one - + (*params.edwards_d(), x2y2.get_variable()) + |lc| lc - x2.get_variable() + + y2.get_variable(), + |lc| lc + one, + |lc| lc + one + + (*params.edwards_d(), x2y2.get_variable()) ); Ok(EdwardsPoint { @@ -272,11 +271,11 @@ impl EdwardsPoint { cs.enforce( || "U computation", - LinearCombination::::zero() + self.x.get_variable() - + self.y.get_variable(), - LinearCombination::::zero() + other.x.get_variable() - + other.y.get_variable(), - LinearCombination::::zero() + u.get_variable() + |lc| lc + self.x.get_variable() + + self.y.get_variable(), + |lc| lc + other.x.get_variable() + + other.y.get_variable(), + |lc| lc + u.get_variable() ); // Compute A = y2 * x1 @@ -296,9 +295,9 @@ impl EdwardsPoint { cs.enforce( || "C computation", - LinearCombination::::zero() + (*params.edwards_d(), a.get_variable()), - LinearCombination::::zero() + b.get_variable(), - LinearCombination::::zero() + c.get_variable() + |lc| lc + (*params.edwards_d(), a.get_variable()), + |lc| lc + b.get_variable(), + |lc| lc + c.get_variable() ); // Compute x3 = (A + B) / (1 + C) @@ -324,10 +323,10 @@ impl EdwardsPoint { let one = cs.one(); cs.enforce( || "x3 computation", - LinearCombination::::zero() + one + c.get_variable(), - LinearCombination::::zero() + x3.get_variable(), - LinearCombination::::zero() + a.get_variable() - + b.get_variable() + |lc| lc + one + c.get_variable(), + |lc| lc + x3.get_variable(), + |lc| lc + a.get_variable() + + b.get_variable() ); // Compute y3 = (U - A - B) / (1 - C) @@ -353,11 +352,11 @@ impl EdwardsPoint { cs.enforce( || "y3 computation", - LinearCombination::::zero() + one - c.get_variable(), - LinearCombination::::zero() + y3.get_variable(), - LinearCombination::::zero() + u.get_variable() - - a.get_variable() - - b.get_variable() + |lc| lc + one - c.get_variable(), + |lc| lc + y3.get_variable(), + |lc| lc + u.get_variable() + - a.get_variable() + - b.get_variable() ); Ok(EdwardsPoint { @@ -402,9 +401,9 @@ impl MontgomeryPoint { cs.enforce( || "u computation", - LinearCombination::::zero() + self.y.get_variable(), - LinearCombination::::zero() + u.get_variable(), - LinearCombination::::zero() + (*params.scale(), self.x.get_variable()) + |lc| lc + self.y.get_variable(), + |lc| lc + u.get_variable(), + |lc| lc + (*params.scale(), self.x.get_variable()) ); // Compute v = (x - 1) / (x + 1) @@ -429,11 +428,11 @@ impl MontgomeryPoint { let one = cs.one(); cs.enforce( || "v computation", - LinearCombination::::zero() + self.x.get_variable() - + one, - LinearCombination::::zero() + v.get_variable(), - LinearCombination::::zero() + self.x.get_variable() - - one, + |lc| lc + self.x.get_variable() + + one, + |lc| lc + v.get_variable(), + |lc| lc + self.x.get_variable() + - one, ); Ok(EdwardsPoint { @@ -488,13 +487,13 @@ impl MontgomeryPoint { cs.enforce( || "evaluate lambda", - LinearCombination::::zero() + other.x.get_variable() - - self.x.get_variable(), + |lc| lc + other.x.get_variable() + - self.x.get_variable(), - LinearCombination::zero() + lambda.get_variable(), + |lc| lc + lambda.get_variable(), - LinearCombination::::zero() + other.y.get_variable() - - self.y.get_variable() + |lc| lc + other.y.get_variable() + - self.y.get_variable() ); // Compute x'' = lambda^2 - A - x - x' @@ -512,12 +511,12 @@ impl MontgomeryPoint { let one = cs.one(); cs.enforce( || "evaluate xprime", - LinearCombination::zero() + lambda.get_variable(), - LinearCombination::zero() + lambda.get_variable(), - LinearCombination::::zero() + (*params.montgomery_a(), one) - + self.x.get_variable() - + other.x.get_variable() - + xprime.get_variable() + |lc| lc + lambda.get_variable(), + |lc| lc + lambda.get_variable(), + |lc| lc + (*params.montgomery_a(), one) + + self.x.get_variable() + + other.x.get_variable() + + xprime.get_variable() ); // Compute y' = -(y + lambda(x' - x)) @@ -534,13 +533,13 @@ impl MontgomeryPoint { // y' + y = lambda(x - x') cs.enforce( || "evaluate yprime", - LinearCombination::zero() + self.x.get_variable() - - xprime.get_variable(), + |lc| lc + self.x.get_variable() + - xprime.get_variable(), - LinearCombination::zero() + lambda.get_variable(), + |lc| lc + lambda.get_variable(), - LinearCombination::::zero() + yprime.get_variable() - + self.y.get_variable() + |lc| lc + yprime.get_variable() + + self.y.get_variable() ); Ok(MontgomeryPoint { @@ -589,16 +588,16 @@ impl MontgomeryPoint { let one = cs.one(); cs.enforce( || "evaluate lambda", - LinearCombination::::zero() + self.y.get_variable() - + self.y.get_variable(), + |lc| lc + self.y.get_variable() + + self.y.get_variable(), - LinearCombination::zero() + lambda.get_variable(), + |lc| lc + lambda.get_variable(), - LinearCombination::::zero() + xx.get_variable() - + xx.get_variable() - + xx.get_variable() - + (*params.montgomery_2a(), self.x.get_variable()) - + one + |lc| lc + xx.get_variable() + + xx.get_variable() + + xx.get_variable() + + (*params.montgomery_2a(), self.x.get_variable()) + + one ); // Compute x' = (lambda^2) - A - 2.x @@ -615,12 +614,12 @@ impl MontgomeryPoint { // (lambda) * (lambda) = (A + 2.x + x') cs.enforce( || "evaluate xprime", - LinearCombination::zero() + lambda.get_variable(), - LinearCombination::zero() + lambda.get_variable(), - LinearCombination::::zero() + (*params.montgomery_a(), one) - + self.x.get_variable() - + self.x.get_variable() - + xprime.get_variable() + |lc| lc + lambda.get_variable(), + |lc| lc + lambda.get_variable(), + |lc| lc + (*params.montgomery_a(), one) + + self.x.get_variable() + + self.x.get_variable() + + xprime.get_variable() ); // Compute y' = -(y + lambda(x' - x)) @@ -637,13 +636,13 @@ impl MontgomeryPoint { // y' + y = lambda(x - x') cs.enforce( || "evaluate yprime", - LinearCombination::zero() + self.x.get_variable() - - xprime.get_variable(), + |lc| lc + self.x.get_variable() + - xprime.get_variable(), - LinearCombination::zero() + lambda.get_variable(), + |lc| lc + lambda.get_variable(), - LinearCombination::::zero() + yprime.get_variable() - + self.y.get_variable() + |lc| lc + yprime.get_variable() + + self.y.get_variable() ); Ok(MontgomeryPoint { diff --git a/src/circuit/num.rs b/src/circuit/num.rs index 8656e4b7f..0386fe1d9 100644 --- a/src/circuit/num.rs +++ b/src/circuit/num.rs @@ -122,9 +122,9 @@ impl AllocatedNum { cs.enforce( || "unpacking constraint", - LinearCombination::zero(), - LinearCombination::zero(), - lc + |lc| lc, + |lc| lc, + |_| lc ); Ok(bits.into_iter().map(|b| Boolean::from(b)).collect()) @@ -191,9 +191,9 @@ impl AllocatedNum { cs.enforce( || "packing constraint", - LinearCombination::zero(), - LinearCombination::zero(), - lc + |lc| lc, + |lc| lc, + |_| lc ); Ok(num) @@ -220,9 +220,9 @@ impl AllocatedNum { // Constrain: a * b = ab cs.enforce( || "multiplication constraint", - LinearCombination::zero() + self.variable, - LinearCombination::zero() + other.variable, - LinearCombination::zero() + var + |lc| lc + self.variable, + |lc| lc + other.variable, + |lc| lc + var ); Ok(AllocatedNum { @@ -251,9 +251,9 @@ impl AllocatedNum { // Constrain: a * a = aa cs.enforce( || "squaring constraint", - LinearCombination::zero() + self.variable, - LinearCombination::zero() + self.variable, - LinearCombination::zero() + var + |lc| lc + self.variable, + |lc| lc + self.variable, + |lc| lc + var ); Ok(AllocatedNum { @@ -284,9 +284,9 @@ impl AllocatedNum { let one = cs.one(); cs.enforce( || "nonzero assertion constraint", - LinearCombination::zero() + self.variable, - LinearCombination::zero() + inv, - LinearCombination::zero() + one + |lc| lc + self.variable, + |lc| lc + inv, + |lc| lc + one ); Ok(()) @@ -317,9 +317,9 @@ impl AllocatedNum { let one = cs.one(); cs.enforce( || "first conditional reversal", - LinearCombination::zero() + a.variable - b.variable, - condition.lc(one, E::Fr::one()), - LinearCombination::zero() + a.variable - c.variable + |lc| lc + a.variable - b.variable, + |_| condition.lc(one, E::Fr::one()), + |lc| lc + a.variable - c.variable ); let d = Self::alloc( @@ -335,9 +335,9 @@ impl AllocatedNum { cs.enforce( || "second conditional reversal", - LinearCombination::zero() + b.variable - a.variable, - condition.lc(one, E::Fr::one()), - LinearCombination::zero() + b.variable - d.variable + |lc| lc + b.variable - a.variable, + |_| condition.lc(one, E::Fr::one()), + |lc| lc + b.variable - d.variable ); Ok((c, d)) @@ -368,9 +368,9 @@ impl AllocatedNum { let one = cs.one(); cs.enforce( || "conditional negation", - LinearCombination::zero() + self.variable + self.variable, - condition.lc(one, E::Fr::one()), - LinearCombination::zero() + self.variable - r.variable + |lc| lc + self.variable + self.variable, + |_| condition.lc(one, E::Fr::one()), + |lc| lc + self.variable - r.variable ); Ok(r) diff --git a/src/circuit/test/mod.rs b/src/circuit/test/mod.rs index 22575e93e..8e12ff713 100644 --- a/src/circuit/test/mod.rs +++ b/src/circuit/test/mod.rs @@ -168,19 +168,26 @@ impl ConstraintSystem for TestConstraintSystem { Ok(var) } - fn enforce( + fn enforce( &mut self, annotation: A, - a: LinearCombination, - b: LinearCombination, - c: LinearCombination + a: LA, + b: LB, + c: LC ) - where A: FnOnce() -> AR, AR: Into + where A: FnOnce() -> AR, AR: Into, + LA: FnOnce(LinearCombination) -> LinearCombination, + LB: FnOnce(LinearCombination) -> LinearCombination, + LC: FnOnce(LinearCombination) -> LinearCombination { let path = compute_path(&self.current_namespace, annotation().into()); let index = self.constraints.len(); self.set_named_obj(path.clone(), NamedObject::Constraint(index)); + let a = a(LinearCombination::zero()); + let b = b(LinearCombination::zero()); + let c = c(LinearCombination::zero()); + self.constraints.push((a, b, c, path)); } @@ -218,9 +225,9 @@ fn test_cs() { cs.enforce( || "mult", - LinearCombination::zero() + a, - LinearCombination::zero() + b, - LinearCombination::zero() + c + |lc| lc + a, + |lc| lc + b, + |lc| lc + c ); assert!(cs.is_satisfied()); assert_eq!(cs.num_constraints(), 1); @@ -230,9 +237,9 @@ fn test_cs() { let one = cs.one(); cs.enforce( || "eq", - LinearCombination::zero() + a, - LinearCombination::zero() + one, - LinearCombination::zero() + b + |lc| lc + a, + |lc| lc + one, + |lc| lc + b ); assert!(!cs.is_satisfied()); diff --git a/src/circuit/uint32.rs b/src/circuit/uint32.rs index 7f93879da..fc24a269d 100644 --- a/src/circuit/uint32.rs +++ b/src/circuit/uint32.rs @@ -281,9 +281,9 @@ impl UInt32 { // Enforce that the linear combination equals zero cs.enforce( || "modular addition", - LinearCombination::zero(), - LinearCombination::zero(), - lc + |lc| lc, + |lc| lc, + |_| lc ); // Discard carry bits that we don't care about