zkSNARK: Add "zero" constant variable.

2016-05-04 18:25:48 -06:00 · 2016-05-04 18:25:48 -06:00 · 53d2ade7c2
parent 074eb3a2cf
commit 53d2ade7c2
1 changed files with 19 additions and 0 deletions
--- a/src/zcash/circuit/gadget.tcc
+++ b/src/zcash/circuit/gadget.tcc
@ -16,6 +16,9 @@ private:
    pb_variable_array<FieldT> zk_vpub_old;
    pb_variable_array<FieldT> zk_vpub_new;

+    // Aux inputs
+    pb_variable<FieldT> ZERO;
+
 public:
    joinsplit_gadget(protoboard<FieldT> &pb) : gadget<FieldT>(pb) {
        // Verification
@ -55,12 +58,25 @@ public:
                "unpacker"
            ));
        }
+
+        // We need a constant "zero" variable in some contexts. In theory
+        // it should never be necessary, but libsnark does not synthesize
+        // optimal circuits.
+        // 
+        // The first variable of our constraint system is constrained
+        // to be one automatically for us, and is known as `ONE`.
+        ZERO.allocate(pb);
+
+
    }

    void generate_r1cs_constraints() {
        // The true passed here ensures all the inputs
        // are boolean constrained.
        unpacker->generate_r1cs_constraints(true);
+
+        // Constrain `ZERO`
+        generate_r1cs_equals_const_constraint<FieldT>(this->pb, ZERO, FieldT::zero(), "ZERO");
    }

    void generate_r1cs_witness(
@ -72,6 +88,9 @@ public:
        uint64_t vpub_old,
        uint64_t vpub_new
    ) {
+        // Witness `zero`
+        this->pb.val(ZERO) = FieldT::zero();
+
        // This happens last, because only by now are all the
        // verifier inputs resolved.
        unpacker->generate_r1cs_witness_from_bits();