mirror of https://github.com/tornadocash/docs
Describe R1CS and Witnesses
This commit is contained in:
Justin Martin
parent
d94ed39c87
commit
96b62ce0f0
41
circuits.md
41
circuits.md
|
|
@ -57,11 +57,50 @@ Circom is easiest to think of as a compiler for a circuit language which acts ve
|
|||
would use to describe an electrical circuit. Except instead of an electrical circuit, we're describing an
|
||||
**arithmetic circuit**, which contains components, and the way that they connect together.
|
||||
|
||||
When you compile a Circom circuit, the resulting output is an
|
||||
[R1CS constraint system](https://docs.circom.io/1.-an-introduction/background#rank-1-constraint-system) and a
|
||||
[Wasm](https://en.wikipedia.org/wiki/WebAssembly) executable that will be used to generate a
|
||||
[witness](https://docs.circom.io/1.-an-introduction/background#witness).
|
||||
|
||||
#### R1CS
|
||||
|
||||
To understand R1CS (Rank-1 constraint system), there is of course more math. And where there's important
|
||||
cryptosystem math, there's a [post by Vitalik](https://medium.com/@VitalikButerin/quadratic-arithmetic-programs-from-zero-to-hero-f6d558cea649#5539).
|
||||
|
||||
> An R1CS is a sequence of groups of three vectors `(a, b, c)`, and the solution to an R1CS is a vector `s`, where `s`
|
||||
> must satisfy the equation `s . a * s . b - s . c = 0`, where `.` represents the dot product - in simpler terms, if we
|
||||
> "zip together" `a` and `s`, multiplying the two values in the same positions, and then take the sum of these products,
|
||||
> then do the same to `b` and `s` and then `c` and `s`, then the third result equals the product of the first two results.
|
||||
>
|
||||
> The next step is taking this R1CS and converting it into QAP form, which implements the exact same logic except using
|
||||
> polynomials instead of dot products ... instead of checking the constraints in the R1CS individually, we can now
|
||||
> check all of the constraints at the same time by doing the dot product check on the polynomials.
|
||||
>
|
||||
> If we try to falsify any of the variables in the R1CS solution that we are deriving this QAP solution from - say, set
|
||||
> the last one to 31 instead of 30, then we get a `t` polynomial that fails one of the checks.
|
||||
|
||||
In short, the R1CS is a set of polynomial constraints which any proof generated by the circuit must satisfy. These
|
||||
constraints are [generated by Circom](https://docs.circom.io/2.-circom-fundamentals/constraints-generation) based on the
|
||||
relationship between various "signals" and operations in your circuit design.
|
||||
|
||||
#### Witnesses
|
||||
|
||||
Now, depending on what you're using Tornado.cash for, you might not want any witnesses. However, don't worry, if
|
||||
everything is working correctly, all of the witnesses to your interactions with Tornado.cash will be aggressively
|
||||
compacted, and their bodies disposed of as you please.
|
||||
|
||||
In the context of a PLONK circuit, a witness is the set of values that need to be generated from the inputs to the
|
||||
circuit, based on the circuit design, to satisfy all of the constraints imposed by the circuit. You can think of the
|
||||
witness generator produced by Circom as a circuit-specific decompression function which runs your inputs through the
|
||||
circuit, and snapshots all of the various intermediary values that are produced along the way.
|
||||
|
||||
#### Proof
|
||||
|
||||
|
||||
|
||||
## Circuits
|
||||
|
||||
## Deposit
|
||||
### Deposit
|
||||
|
||||
### Tornado Trees
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue