void HashDifficultyEnforcer_Gadget::generateConstraints() {
// enforce that both representations are equal
hashValueUnpacker_->generateConstraints();
// add constraints asserting that the first 'difficultyBits' bits of 'hashValue' equal 0. Note
// endianness, unpacked()[0] is LSB and unpacked()[63] is MSB
for (size_t i = 0; i < difficultyBits_; ++i) {
addUnaryConstraint(hashValue_.unpacked()[63 - i], GADGETLIB2_FMT("hashValue[%u] == 0", 63 - i));
}
}
void NAND_Gadget::generateConstraints() {
// we will invoke the AND gate constraint generator
andGadget_->generateConstraints();
// and add our out negation constraint in order to make this a NAND gate
addRank1Constraint(1, 1 - andResult_, output_, "1 * (1 - andResult) = output");
// Another way to write the same constraint is:
// addUnaryConstraint(1 - andResult_ - output_, "1 - andResult == output");
//
// At first look, it would seem that this is enough. However, the AND_Gadget expects all of its
// inputs to be boolean, a dishonest prover could put non-boolean inputs, so we must check this
// here. Notice 'FlagVariable' means a variable which we intend to hold only '0' or '1', but
// this is just a convention (it is a typedef for Variable) and we must enforce it.
// Look into the internals of the R1P implementation of AND_Gadget and see that
// {2, 1, 0} as inputs with {1} as output would satisfy all constraints, even though this is
// clearly not our intent!
for (const auto& input : inputs_) {
enforceBooleanity(input); // This adds a constraint of the form: input * (1 - input) == 0
}
}
// And now for a test which will exemplify the usage:
TEST(Examples, NAND_Gadget) {
// initialize the field
initPublicParamsFromDefaultPp();
// create a protoboard for a system of rank 1 constraints over a prime field.
ProtoboardPtr pb = Protoboard::create(R1P);
// create 5 variables inputs[0]...iputs[4]. The string "inputs" is used for debug messages
FlagVariableArray inputs(5, "inputs");
FlagVariable output("output");
GadgetPtr nandGadget = NAND_Gadget::create(pb, inputs, output);
// now we can generate a constraint system (or circuit)
nandGadget->generateConstraints();
// if we try to evaluate the circuit now, an exception will be thrown, because we will
// be attempting to evaluate unasigned variables.
EXPECT_ANY_THROW(pb->isSatisfied());
// so lets assign the input variables for NAND and try again after creating the witness
for (const auto& input : inputs) {
pb->val(input) = 1;
}
nandGadget->generateWitness();
EXPECT_TRUE(pb->isSatisfied());
EXPECT_TRUE(pb->val(output) == 0);
// now lets try to ruin something and see what happens
pb->val(inputs[2]) = 0;
EXPECT_FALSE(pb->isSatisfied());
// now let try to cheat. If we hadn't enforced booleanity, this would have worked!
pb->val(inputs[1]) = 2;
EXPECT_FALSE(pb->isSatisfied());
// now lets reset inputs[1] to a valid value
pb->val(inputs[1]) = 1;
// before, we set both the inputs and the output. Notice the output is still set to '0'
EXPECT_TRUE(pb->val(output) == 0);
// Now we will let the gadget compute the result using generateWitness() and see what happens
nandGadget->generateWitness();
EXPECT_TRUE(pb->val(output) == 1);
EXPECT_TRUE(pb->isSatisfied());
}