ZKP Circom (2) Common Circuits

已于 2023-12-09 16:34:48 修改
阅读量75 收藏
点赞数
分类专栏: 零知识证明 文章标签: 零知识证明 笔记
于 2023-12-09 16:20:47 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_45347752/article/details/134896823
版权

MIT IAP 2023 Modern Zero Knowledge Cryptography课程笔记

Lecture 2: Circom 1 (Brain Gu)

  • autogen “intermediate” values
pragma circom 2.1.6;

template Example () {
    signal input x1;
    signal input x2;
    signal input x3;
    signal input x4;

    signal y1;
    signal y2;

    signal output out;
    // how to autogen "intermediate" values
    // can use any operators
    y1 <-- x1 + x2;
    y2 <-- y1 * x3;
    out <-- y2 - x4;

    // constrains
    // only can use + and *
    y1 === x1 + x2;
    y2 === y1 * x3;
    out + x4 === y2;
    
}

component main { public [ x1,x2,x3,x4] } = Example();

/* INPUT = {
    "x1": "2",
    "x2": "4",
    "x3": "8",
    "x4": "5"
} */
  • Some improvement with “syntactic sugar”
pragma circom 2.1.6;

template Example () {
    signal input x1;
    signal input x2;
    signal input x3;
    signal input x4;

    signal y1;
    signal y2;

    signal output out;

    //y1 <-- x1 + x2;
    //y1 === x1 + x2;
    y1 <== x1 + x2;

    //y2 <-- y1 * x3;
    //y2 === y1 * x3;
    y2 <== y1 * x3;

    //out <-- y2 - x4;
    //out + x4 === y2;
    out <== y2 - x4;
    
}

component main { public [ x1,x2,x3,x4] } = Example();

/* INPUT = {
    "x1": "2",
    "x2": "4",
    "x3": "8",
    "x4": "5"
} */
  • Example: import other code
pragma circom 2.1.6;

include "circomlib/poseidon.circom";
// include "https://github.com/0xPARC/circom-secp256k1/blob/master/circuits/bigint.circom";

template Example () {
    signal input a;
    signal input b;
    signal output c;
    
    var unused = 4;
    c <== a * b;
    assert(a > 2);
    
    component hash = Poseidon(2);
    hash.inputs[0] <== a;
    hash.inputs[1] <== b;

    log("hash", hash.out);
}

component main { public [ a ] } = Example();

/* INPUT = {
    "a": "5",
    "b": "77"
} */
  • Exercises
//IsZero
//Parameters: none
//Input signal(s): in
//Output signal(s): out

template IsZero() {
    signal input in;
    signal output out;

    signal inv;

    inv <-- in!=0 ? 1/in : 0;

    out <== -in*inv +1;
    in*out === 0;
}

//IsEqual
//Parameters: none
//Input signal(s): in[2]
//Output signal(s): out

template IsEqual() {
    signal input in[2];
    signal output out;

    component isz = IsZero();

    in[1] - in[0] ==> isz.in;

    isz.out ==> out;
}

//Selector
//Parameters: nChoices
//Input signal(s): in[nChoices], index
//Output: out

template CalculateTotal(n) {
    signal input in[n];
    signal output out;

    signal sums[n];

    sums[0] <== in[0];

    for (var i = 1; i < n; i++) {
        sums[i] <== sums[i-1] + in[i]
    }

    out <== sums[n-1];
}

template QuinSelector(choices) {
    signal input in[choices];
    signal input index;
    signal output out;
    
    // Ensure that index < choices
    component lessThan = LessThan(4);
    lessThan.in[0] <== index;
    lessThan.in[1] <== choices;
    lessThan.out === 1;

    component calcTotal = CalculateTotal(choices);
    component eqs[choices];

    // For each item, check whether its index equals the input index.
    for (var i = 0; i < choices; i ++) {
        eqs[i] = IsEqual();
        eqs[i].in[0] <== i;
        eqs[i].in[1] <== index;

        // eqs[i].out is 1 if the index matches. As such, at most one input to
        // calcTotal is not 0.
        calcTotal.in[i] <== eqs[i].out * in[i];
    }

    // Returns 0 + 0 + 0 + item
    out <== calcTotal.out;
}

//IsNegative

template Num2Bits(n) {
    signal input in;
    signal output out[n];
    var lc1=0;

    var e2=1;
    for (var i = 0; i<n; i++) {
        out[i] <-- (in >> i) & 1;
        out[i] * (out[i] -1 ) === 0;
        lc1 += out[i] * e2;
        e2 = e2+e2;
    }

    lc1 === in;
}

template CompConstant(ct) {
    signal input in[254];
    signal output out;

    signal parts[127];
    signal sout;

    var clsb;
    var cmsb;
    var slsb;
    var smsb;

    var sum=0;

    var b = (1 << 128) -1;
    var a = 1;
    var e = 1;
    var i;

    for (i=0;i<127; i++) {
        clsb = (ct >> (i*2)) & 1;
        cmsb = (ct >> (i*2+1)) & 1;
        slsb = in[i*2];
        smsb = in[i*2+1];

        if ((cmsb==0)&&(clsb==0)) {
            parts[i] <== -b*smsb*slsb + b*smsb + b*slsb;
        } else if ((cmsb==0)&&(clsb==1)) {
            parts[i] <== a*smsb*slsb - a*slsb + b*smsb - a*smsb + a;
        } else if ((cmsb==1)&&(clsb==0)) {
            parts[i] <== b*smsb*slsb - a*smsb + a;
        } else {
            parts[i] <== -a*smsb*slsb + a;
        }

        sum = sum + parts[i];

        b = b -e;
        a = a +e;
        e = e*2;
    }

    sout <== sum;

    component num2bits = Num2Bits(135);

    num2bits.in <== sout;

    out <== num2bits.out[127];
}

template Sign() {
    signal input in[254];
    signal output sign;

    component comp = CompConstant(10944121435919637611123202872628637544274182200208017171849102093287904247808);

    var i;

    for (i=0; i<254; i++) {
        comp.in[i] <== in[i];
    }

    sign <== comp.out;
}

//LessThan
//Parameters: none
//Input signal(s): in[2]. Assume that it is known ahead of time that these are at most 2252−1.
//Output signal(s): out

//Specification: If in[0] is strictly less than in[1], out should be 1. Otherwise, out should be 0.

//Extension 1: If you know that the input signals are at most 2^k - 1 (k ≤ 252), how can you reduce the total number of constraints that this circuit requires? Write a version of this circuit parametrized in k.
//Extension 2: Write LessEqThan (tests if in[0] is ≤ in[1]), GreaterThan, and GreaterEqThan

template LessThan(n) {
    assert(n <= 252);
    signal input in[2];
    signal output out;

    component n2b = Num2Bits(n+1);

    n2b.in <== in[0]+ (1<<n) - in[1];

    out <== 1-n2b.out[n];
}



// N is the number of bits the input  have.
// The MSF is the sign bit.
template LessEqThan(n) {
    signal input in[2];
    signal output out;

    component lt = LessThan(n);

    lt.in[0] <== in[0];
    lt.in[1] <== in[1]+1;
    lt.out ==> out;
}

// N is the number of bits the input  have.
// The MSF is the sign bit.
template GreaterThan(n) {
    signal input in[2];
    signal output out;

    component lt = LessThan(n);

    lt.in[0] <== in[1];
    lt.in[1] <== in[0];
    lt.out ==> out;
}

// N is the number of bits the input  have.
// The MSF is the sign bit.
template GreaterEqThan(n) {
    signal input in[2];
    signal output out;

    component lt = LessThan(n);

    lt.in[0] <== in[1];
    lt.in[1] <== in[0]+1;
    lt.out ==> out;
}

//IntegerDivide
//NOTE: This circuit is pretty hard!
//Parameters: nbits. Use assert to assert that this is at most 126!
//Input signal(s): dividend, divisor
//Output signal(s): remainder, quotient
// input: dividend and divisor field elements in [0, sqrt(p))
// output: remainder and quotient field elements in [0, p-1] and [0, sqrt(p)
// Haven't thought about negative divisor yet. Not needed.
// -8 % 5 = 2. [-8 -> 8. 8 % 5 -> 3. 5 - 3 -> 2.]
// (-8 - 2) // 5 = -2
// -8 + 2 * 5 = 2
// check: 2 - 2 * 5 = -8

template Modulo(divisor_bits, SQRT_P) {
    signal input dividend; // -8
    signal input divisor; // 5
    signal output remainder; // 2
    signal output quotient; // -2

    component is_neg = IsNegative();
    is_neg.in <== dividend;

    signal output is_dividend_negative;
    is_dividend_negative <== is_neg.out;

    signal output dividend_adjustment;
    dividend_adjustment <== 1 + is_dividend_negative * -2; // 1 or -1

    signal output abs_dividend;
    abs_dividend <== dividend * dividend_adjustment; // 8

    signal output raw_remainder;
    raw_remainder <-- abs_dividend % divisor;
    
    signal output neg_remainder;
    neg_remainder <-- divisor - raw_remainder;
    
        if (is_dividend_negative == 1 && raw_remainder != 0) {
        remainder <-- neg_remainder;
    } else {
        remainder <-- raw_remainder;
    }

    quotient <-- (dividend - remainder) / divisor; // (-8 - 2) / 5 = -2.

    dividend === divisor * quotient + remainder; // -8 = 5 * -2 + 2.

    component rp = MultiRangeProof(3, 128);
    rp.in[0] <== divisor;
    rp.in[1] <== quotient;
    rp.in[2] <== dividend;
    rp.max_abs_value <== SQRT_P;

    // check that 0 <= remainder < divisor
    component remainderUpper = LessThan(divisor_bits);
    remainderUpper.in[0] <== remainder;
    remainderUpper.in[1] <== divisor;
    remainderUpper.out === 1;
}
Simba17
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
ZKP Circom (1)
Simba的博客
12-08 340
MIT IAP 2023 Modern Zero Knowledge Cryptography 课程笔记 Lecture 2: Circom 1 (Brain Gu)
ZKP]Nova Scotia: Middleware to compile Circom circuits to Nova prover
Simba的博客
12-24 435
Nova Scotia: Middleware to compile Circom circuits to Nova prover
176-circom入门(二)
Lich Howger
04-28 141
我们还可以把b0b1b2b3改成数组的形式。我们可以把这个template弄成一个整体。b0,b1,b2,b3都是为1或者0。然后我们把数组改成for循环试试看。今天我们来写点复杂的circom。先来写个十进制转换成二进制。
ZKP Commitment (2)
Simba的博客
12-19 936
MIT IAP 2023 Modern Zero Knowledge Cryptography 课程笔记 Lecture 5: Commitment 2 (Ying Tong Lai)
ZKP用途?
mutourend的博客
11-27 1537
本文重点关注当前区块链未解决问题,以及如何使用ZKP(Zero-Knowledge Proof)来解决这些问题。
ZKP3.1 Programming ZKPs (Implement Sudoku on Circom)
Simba的博客
10-16 75
ZK-Learning MOOC Lecture 3: Programming ZKPs (Guest Lecturers: Pratyush Mishra and Alex Ozdemir)
ZKP Understanding Nova (2) Relaxed R1CS
Simba的博客
12-07 132
Nova: Recursive zero-knowledge arguments from folding schemes. 学习笔记
Circom 2.0: A Scalable Circuit Compiler
mutourend的博客
07-23 1237
本文主要摘自IDEN3团队AlbertRubio在Compiler and Composability in ZKP上的演讲内容。
ZKP硬件加速
mutourend的博客
09-01 821
ZKP硬件加速
plonkit:在plonk证明系统使用circom zkp DSL的zkSNARK工具包
03-06
A zkSNARK toolkit to work with circom zkSNARKs DSL in plonk proof system USAGE: plonkit FLAGS: -h, --help Prints help information -V, --version Prints version information SUBCOMMANDS: dump-lagran
zkp:使用Groth16 zkSNARK执行和验证算法的框架
04-15
ZKP ZKP是一种实用的零知识证明系统,可提供任意计算的小型且计算效率高的零知识证明。 该系统使我们能够以廉价,快速的验证时间构造简洁的非交互式证明。 下图描述了证明生成系统的拓扑。编译阶段程序建设受信任的...
用matlab解背包问题(ZKP)
08-25
RT.................................
data-market:zkp数据市场
03-29
DF数据市场 基于Darkforest数据发布市场 动机 卖方一直尝试销售数据。 数据出售后,卖方必须相信买方不会将数据泄露或转售给第三方,复制数据很容易,因此人们将始终能够转售数据。 另一种支付方式是向每个人发布...
goZKP:Go ZKP 协议示例
06-26
2. **电路构造**:ZKP协议通常涉及到计算电路,这些电路表示了需要证明的知识的逻辑。GoZKP可能会包含用于构建和操作这些电路的工具,例如布尔运算(AND、OR、NOT等)和加法、乘法等算术运算。 3. **协议实现**:...
ezKL;zk-SNARK;零知识证明简单举例说明
ZJQ的博客
07-05 149
ezKL;zk-SNARK;零知识证明简单举例说明
零知识证明;电路,编码,多项式是什么;零知识验证流程
最新发布
ZJQ的博客
07-07 47
零知识证明;电路,编码,多项式是什么;零知识验证流程
2024-07-05 base SAS programming学习笔记9(variables)
ddjdd1234的博客
07-05 468
由于SAS 每次都会执行IF THEN 语句,因此在对同一个变量进行操作时使用IF THEN ELSE IF THEN 语句来提高效率,避免重复使用IF-THEN 语句,在碰到TRUE的情况则会跳出该IF 语句。如果不存在select expression ,则会对每个when 语句判断TRUE或FALSE,SAS只会执行首次判断为TRUE的语句,一旦存在TRUE语句则跳出不对其他WHEN语句进行判断。在每次DO循环前检查是否满足WHILE的条件,只有满足WHILE的条件才继续循环,如果不满足则终止循环。
[笔记] 高等数学在各工程门类的典型应用场景
含光左卫的工作笔记集
07-04 941
必须引入高等数学知识才能解决的问题,相关工业门类及问题概述;包含复杂信号时域分析与微小信号提取技术相关的书目,期刊
Succinct Non-Interactive Zero Knowledge
02-25
Our circuit generator is the first to be universal: it does not need to know the program, but only a bound on its running time. Moreover, the size of the output circuit depends additively (rather than multiplicatively) on program size, allowing verification of larger programs. The cryptographic proof system improves proving and verification times, by leveraging new algorithms and a pairing library tailored to the protocol.

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值