IR Spec Working Draft

There are two possible approaches to naming: (1) constraint systems, constraints, and variables, or (2) circuits, gates, and wires. Since plonk is a proof system for zero-knowledge circuits, we stick with circuit-based terminology.

Wires

A wire is a fundamental, atomic, immutable representation of data.
Name: names of wires are strings that start with a letter, and can include underscores and digit characters.
They are allocated at compile time as they appear.
All wires are assigned values in $F_{p}$ (either at compile-time or at prover / verifier run-time), where $p$ is a globally fixed (usually ~256-bit) prime. TODO: should we add #pragma declarations for specifying $p$ ?

Public wires

Public wires are public inputs into the circuit that are not known at compile-time. To allocate the variable contract_public_key as public we simply declare it in the following statement:

pub contract_public_key

The variable contract_public_key can then be used in a polynomial constraint like any other variable. Alternatively, one can declare a wire to be public by adding the keyword pub when referring to the wire.

Private wires

Private wires are the Prover's secret witnesses. Any variable not explicitly made public is a private wire.

Named vs. unnamed wires

Some wires are implicitly created and can be unnamed from the perspective of the IR.

Constants (a.k.a scalars)

Fixed constants are strings of digits that are interpreted as decimal integers. They can be preceded by a "-" to indicate that they are negative.

Expressions

An expression is any code block that returns one or more values encoded in unnamed wires.

Polynomial Expressions

Polynomial expressions are algebraic expressions involving of wires and constants ("multi-variable" polynomial where wires are "variables"). Below are two polynomial expressions.

x^2 - 1
x^2 + y^2 - z^2

The polynomial ought to be expressed in a standard format that can easily be plugged into polynomial solvers and other tools.

Gate expressions

Some gates provide output wires. It forms an expression when they are called without output wires in the arguments. For example, add x 1, mul x y.

Constraint statements

A constraint statement constrains a set of wires. Named and unnamed internal wires can be created as a consequence of a constraint statement. There are two types of constraint statements, equality statements and gate statements.

Equality statement

An equality statement constrains two expressions (left- and right-hand side) to be equal to each other.

Here is an equality statement for checking if three inputs form a Pythagorean triple:

0 = x^2 + y^2 - z^2

$T hi s g a t ere p rese n t s a co n s t r ain t . T ha t i s, t hi s g a t eco n s t r ain s t h e p o l y n o mia l in d i c a t e d t oe q u a l zero . T h e v a r iab l es u se d in t h e p o l y n o mia lt ha t ha v e n o t a l re a d y b ee n u se d e a r l i er w i ll b e a ll oc a t e d w h e n t h e p o l y n o mia l i s p rocesse d . I t i sco n v e ni e n t so m e t im es t o t hink o f a p o l y n o mia l e x p ress i o na s an " a ss i g nm e n t ". W ec ana c hi e v e t hi s b y a ll o w in g p o l y n o mia l co n s t r ain t s t o b e w r i tt e na s an e q u a t i o n w i t ha l e f t an d r i g h t s i d e . T h ese tw o p o l y n o mia l s a ree q u i v a l e n t : ‘‘‘ x_{1}^{3} - 5 x_{2}^{2} - x_{3} x_{3} = x_{1}^{3} - 5 x_{2}^{2} ‘‘‘$ Since this is not true assignment, but merely a constraint, it is also valid to "assign" to scalars. These are equivalent:

0 = x_1 * x_2 - 42
42 = x_1 * x_2

Equality statements involving general expressions are compiled down to gate statements by the backend.

Gate statement

A gate constraint is formed when a gate is called with all input and output wires.

bool x
bool x * y

Alias statement

An alias can be given to sets of constraint statements that are used often. Curly braces are used to indicate a set of constraints.

// definition of my_alias
def my_alias input_wires... -> output_wires... {
	constraint_statement_1
	constraint_statement_2

	.
	.
}

// calling my_alias can be done like this:
my_alias input_1 input_2 ... output_1 output_2 ...

// or like this:
output_1 output_2 ... = my_alias input_1 input_2 ...
// this is technically an equality statement where the rhs is a gate expression

$I na r i t hm e t i cco n s t r ain t s t h erere a ll y i s n o d i s t in c t i o nb e tw ee nin p u t s an d o u tp u t s . W e mak e t h e d i s t in c t i o nh ere t o t e llt h e ba c k e n d co m p i l er h o wt o in t er p re t a co n s t r ain tw r i tt e nin " a ss i g nm e n t " m o d e an d h o wt oco m p oseco n s t r ain t s . S in ce a l ia se d s u b c i rc u i t s a re l ik e l y t o b e u se d m ore t han o n ce, aba c k e n d co m p i l er ma y d ec i d e t ore pl a ce ana l ia se d s u b c i rc u i tw i t ha l oo k u p g a t eorc u s t o m g a t e i f i t ha s t h ose f e a t u res a v ai l ab l e . O f t e n t im es, t h e g a t ess u pp or t e d b y t h e ba c k e n d a re n o t a g n os t i c t o t h e w i re t y p es . T o b u i l d a l ia s g a t es f or t h ese b u i lt - in g a t es, o n e n ee d s t o d ec l a re t h ere q u i re d w i re t y p es in t h e a l ia s d e f ini t i o n . F ore x am pl e : ‘‘‘ d e f e q (p r i vx) - > (p r i v y) y = p o l y_{g} a t e [010 - 10] xx d e f e q (p r i vx) - > (p u b y) y = p u b o u t_{p} o l y_{g} a t e [01000] xxx d e f e q (p r i vx) - > (co n s t y) p o l y_{g} a t e [0100 y] xxx ‘‘‘$

Examples

No-output Gate

A range gate is a commonly used gate that does not have a canonical output. A 2-bit range gate would be defined and called like this:

// definition
def range_2 x {
	b_0 = b_0^2
	b_1 = b_1^2
	x = 2b_1 + b_0
}

// call
range_2 x

$T h e v a r iab l e ‘ x ‘ i s n o w co n s t r ain e d t o b e 0, 1, 2, or 3. B ec a u se t h e g a t e i s d e f in e d w i t hn oo u tp u t s, t ry in g t oc a ll i tl ik e t hi ss h o u l d p ro d u ce an error : ‘‘‘// in v a l i d y = r an g e_{2} x // a l so in v a l i d x = r an g e_{2} ‘‘‘$

Single-output Gate

// definition
add x y -> z = { poly x + y - z}

// call
add x y z

// or
z = add x y

Multiple Outputs

Aliased gates can give multiple outputs. Suppose we want to do integer division between two variables and want both the quotient and remainder as outputs (like divmod in Python).

def divmod x y -> q r { .... }

// then divmod can be called like this
divmod x y q r

// or this
q r = divmod x y

Composing Gates

Gates can be composed using assignment mode or prefix mode.

// definition
def curve_add x1 y1 x2 y2 -> x3 y3 { ... }

// assignment mode definition
def curve_add_four x1 y1 x2 y2 x3 y3 x4 y4 -> x5 y5 {
	mx1 my1 = curve_add x1 y1 x2 y2
	mx2 my2 = curve_add x3 y3 x4 y4
	x5 y5 = curve_add mx1 my1 mx2 my2
}

// prefix mode definition
def curve_add_four x1 y1 x2 y2 x3 y3 x4 y4 -> x5 y5 {
	curve_add (curve_add x1 y1 x2 y2) (curve_add x3 y3 x4 y4)
}

A Partial List of Built-in Gates and (some of) their Definitions in Terms of Polynomial Gates

// x + y = z
def add x y -> z { poly x + y - z }

// x - y = z
def sub x y -> z { poly x - y - z }

// x*y = z
def mul x y -> z { poly x * y - z }

// inv x = x_inv
def inv x -> x_inv
// if x is 0, then x_inv is set to 0

// x < y
def less x y { ... }

// x = r mod q
def mod x q -> r { ... }

// bit decomp of x
def bits x -> b_0 ... b_k { ... }

// bit pack of b_0 ... b_k
def bitpack b_0 ... b_k -> x { bits x b_0 ... b_k }

// k = bit count of x
def bitcount x -> k { ... }

// x a bool
def bool x {range_1 x}

// x < 2^k 		k is an usize
def bit_range[k] x { ... }

// conditional / controlled selects
// out = opt_bit
def cselect bit opt_0 opt_1 -> out
// bit = 1 => out = val / bit = 0 => out = 1
def cselect_1 bit val -> out
// bit = 1 => out = 1 / bit = 0 => out = val
def cselect_0 bit val -> out

// k-bit xor and
def xor[k] x y -> z { ... }
def and[k] x y -> z { ... }

// Twister Edwards curve addition
def variable_base_add x1 y1 x2 y3 -> x3 y3
def fixed_base_add ...

// scalar mul potentially defined as internal alias using point addition and
bit decomposition
def variable_base_mul scalar x1 y1 -> x2 y2
def fixed_base_mul scalar -> x2 y2

// Blake2s(x) = y
def blake2s x .. -> y { ... }

// Blake2b(x) = y
def blake2b x .. -> y { ... }

// SHA-256(x) = y
def sha256 x .. -> y { ... }

etc.

Built-in gates and output wires

For built-in gates, we insist the backend to know how output wires are computed given all the input wires. As a result, when generating a proof, output wires of built-in gates need not be specified.

Prover and verifier run-time input specification

To generate a proof, we need to provide a file specifying a circuit (or compiled output from it), as well as (1) a table PI mapping all public wires to their values (in F_p $) an d (2) a t ab l e ‘ W ‘ ma pp in g a ll n o n - o u tp u tw i res t o t h e i r v a l u es (a g ainin$ F_p $) . T o v er i f y a p roo f, w e n ee d t o p ro v i d e, b es i d es t h e p roo f, a f i l es p ec i f y in g a c i rc u i t (orco m p i l e d o u tp u t f ro mi t), a s w e ll a s a t ab l e ‘ P I ‘ (s am e a s in p roo f g e n er a t i o n) . T ab l es ‘ P I ‘ an d ‘ W ‘ a re g i v e na s a J SON f or ma tt e d t ab l e .$

Anoma Specifications