๐ Constraint Systems: Prove Any Computation
Learn how to express logic as mathematical constraints
Build zero-knowledge circuits for rollups
Your Progress
0 / 5 completedConstraint Systems
A **constraint system** is the mathematical framework that encodes circuit logic into equations a prover must satisfy. It's the bridge between your circuit (gates and wires) and the cryptographic proof system. The prover provides values (witness) that satisfy all constraints, and the verifier checks the proof without seeing the witness.
Different constraint systems offer different tradeoffs: proof size, verification cost, setup requirements, and proving time. Modern ZK-Rollups carefully choose their constraint system based on their specific needs and security model.
Interactive: Constraint System Comparison
Compare the three major constraint systems used in production ZK-Rollups.
R1CS (Rank-1 Constraint System)
Rank-1 Constraint System
Classic constraint system used by Groth16 and many SNARKs
๐ R1CS Deep Dive
**Rank-1 Constraint System (R1CS)** is the most common format. Each constraint is a rank-1 bilinear equation:
Interactive: R1CS Constraint Visualizer
Visualize how a simple multiplication constraint works. Adjust witness values to see constraint satisfaction.
Constraint: a * b = c
R1CS Representation
- Matrix A selects witness value a (3)
- Matrix B selects witness value b (4)
- Matrix C selects the product c (12)
- Constraint checks: 3 * 4 = 12 โ
Setup Ceremonies
๐ Trusted Setup (Groth16/R1CS)
Requires multi-party ceremony to generate proving/verification keys. If ceremony is compromised, proofs can be forged.
๐ Universal Setup (PLONK)
One-time ceremony for all circuits. Can be updated incrementally. More flexible but larger proofs.
๐ Transparent (STARKs/AIR)
No trusted setup needed. Uses public randomness. Larger proofs but post-quantum secure.