This chapter covers essential syntax, which you’ll see in most Circom programs. With Circom, we’re able to define a Rank 1 Constraint System (R1CS) using code instead of explicitly defining each constraint. We’ll explore those tools in this chapter.
Previously, we looked at a circuit (IsBinary) that verified whether the supplied inputs were indeed binary. That circuit was hardcoded to accept only 2 inputs.
template IsBinary() {
signal input in[2];
in[0] * (in[0] - 1) === 0;
in[1] * (in[1] - 1) === 0;
}
component main = IsBinary();While the above code works for two inputs, modifying it to support large n inputs would require manually adding constraints, which is a bad developer experience.
Therefore, Circom allows us to constrain an arbitrary number of signals using the following pattern to automatically generate the constraints:
template IsBinary(n) {
// array of n inputs
signal input in[n];
// n loops: n constraints
for (var i = 0; i < n; i++) {
in[i] * (in[i] - 1) === 0;
}
}
// instantiated w/ 4 inputs & 4 constraints
component main = IsBinary(4);Notice that the template declaration has changed to include n in the parenthesis.
n here is known as a template parametern is used within the circuit to specify the size of the array innAlthough constraints can be generated programmatically, the existence and configuration of constraints cannot conditionally depend on signals.
While templates can use parameters, the circuit must be static and clearly defined. There is no support for “dynamic-length” circuits or constraints — everything must be fixed and well-defined from the start.
Imagine having an R1CS system of constraints whose structure was mutable based on input signal values. Neither the prover nor the verifier could operate as the number of constraints is not set in stone.
The value for n must be set at compile time.
for, varWe now explain the for loop introduced above.
template IsBinary(n) {
// array of n inputs
signal input in[n];
// n loops: n constraints
for (var i = 0; i < n; i++) {
in[i] * (in[i] - 1) === 0;
}
}
// instantiated with 4 inputs & 4 constraints
component main = IsBinary(4);n0 or 1We have introduced two new keywords into the circuit: for and var
for works like you’re used to.var keyword declares a variable; in this case, i, as seen in the loop definition.= assigns the value on the right to the variable on the left.Here, the variable i is used to programmatically refer to different signals in the input array while creating constraints for them. Being able to programmatically generate constraints is extremely useful, as doing this by hand when hundreds or thousands of constraints are involved would be extremely error-prone.
Variables hold non-signal data and are mutable. Here is an example of a variable declaration outside of a loop:
template VariableExample(n) {
var acc = 2;
signal s;
}p. The full list of operators is provided in the Circom documentation here. These will feel familiar coming from a C-like language (e.g. ++, **, <=, etc). However, keep in mind that / means multiplication with the multiplicative inverse, and \ means integer division.+, *, ===, <--, and <==. We will discuss <-- and <== in a later article.Circom allows us to conditionally create constraints using if statements — but these conditions must be deterministic and known at compile time. An example is shown next:
Suppose we have two arrays. We could use the following template to generate constraints which enforce that the items at even indices are equal (without checking the odds)
template EqualOnEven(n) {
signal input in1[n];
signal input in2[n];
for (var i = 0; i < n; i++) {
if (i % 2 == 0) {
in1[i] === in2[i];
}
// otherwise no constraint is generated
}
}Note that the variable i dictates which constraints get generated.
The following code is not allowed because signal a is used as the conditional for the if statement:
template IfStatementViolation() {
signal input a;
signal input b;
if (a == 2) {
b === 3;
}
else {
b === 4;
}
}In a Rank 1 Constraint System, there can only be addition and multiplication between signals. Circom is only a thin wrapper on top of a Rank 1 Constraint System. Therefore, it cannot “translate” an if statement to addition and multiplication.
It is still possible to do a conditional operation (if statement) based on signals in Circom — this is the subject of a later chapter. But for now, consider that there is no “direct” translation from an if statement to a single multiplication.
Variables can be used as part of constraints. In the example below, we enforce that the input array in[n] is a Fibonacci sequence. Note that a variable array syntax is var varName[size]:
template IsFib(n) {
assert(n > 1);
signal input in[n];
// generate the Fibonacci sequence
var correctFibo[n];
correctFibo[0] = 0;
correctFibo[1] = 1;
for (var i = 2; i < n; i++) {
correctFibo[i] = correctFibo[i - 1] + correctFibo[i - 2];
}
// assert that the input is a Fibonacci sequence
for (var i = 0; i < n; i++) {
in[i] === correctFibo[i];
}
}Of note:
assert(n > 1) does not generate any constraints. It prevents the template from getting instantiated if the condition for the template parameter is not met.signal === var. This is the same as doing signal === 5 or some other constant.Instead, we can use variables to assign a name to a magic number to improve readability. For example:
template Equality() {
signal input in[2];
var left = 0;
var right = 1;
// require the inputs
// to be equal
in[left] === in[right];
}In Circom, variables can be added to or multiplied by signals, just like constants. In the example below, we require that in2[] is in1[] multiplied by its index.
For example, if in1[] = [3,5,6] then it must be the case that in2[] = [0,5,12] because [3,5,6] gets element-wise multiplied by [0,1,2].
template IsIndexMultiplied(n) {
signal input in1[n];
signal input in2[n];
for (var i = 0; i < n; i++) {
in1[i] * i === in2[i];
}
}
component main = IsIndexMultiplied(3);
/* INPUT = {"in1": [0,1,2], "in2": [0,1,4]} */
// accept
// in1[] = [0,1,2]
// in2[] = [0,1,4]
// reject
// in1[] = [0,1,2]
// in2[] = [0,0,2]You can test the code here.
Try out the following problems from ZK Puzzles. Run the tests to check your answer.
Uniswap V3 Factory and the Relationship Between Tick Spacing and Fees In early chapters, we introduced the concept of ticks, which discretize the price curve. A tick is a price defined by the formula $p(i)=1.0001^i$, where $i$ is named tick index. Tick indexes are integers within the range $[-887272,887272]$, resulting in 1,774,545 ticks along the […]
ZK Proof of Selection Sort Most computations of interest are generally “stateful” — that is, they need to go through a series of steps to produce the final result. Sometimes, we do not need to show we executed the computation but only show the result. For example, if A is a list, we can prove […]
How a ZKVM Works A Zero-Knowledge Virtual Machine (ZKVM) is a virtual machine that can create a ZK-proof that verifies it executed a set of machine instructions correctly. This allows us to take a program (a set of opcodes), a virtual machine specification (how the virtual machine behaves, what opcodes it uses, etc), and prove […]
The Permutation Argument A permutation argument is a proof that two lists hold the same elements, but possibly in a different order. For example, [2,3,1] is a permutation of [1,2,3] and vice-versa. The permutation argument is useful for proving one list is a sorted version of another. That is, if list B has the same […]
As a RareSkills researcher, you will be contributing to the technical content we post on our website.
We’re looking for someone to design and implement security measures and defense-in-depth controls to prevent and limit vulnerabilities.
We’re looking for a Senior Full-Stack Engineer to play a foundational role in working across the entire offchain stack of products.
We are seeking a talented Rust Developer to build a robust, scalable blockchain indexers and analytic backend.