Closing this PR as there is a simpler way to implement the OR gate.
@porcuquine pointed me to the following OR gadget in the Lurk codebase which uses De Morgan's law to implement OR using NOT and AND.
// Use DeMorgan to constrain or.
pub(crate) fn or<CS: ConstraintSystem<F>, F: PrimeField>(
mut cs: CS,
a: &Boolean,
b: &Boolean,
) -> Result<Boolean, SynthesisError> {
Ok(Boolean::not(&Boolean::and(
cs.namespace(|| "not and (not a) (not b)"),
&Boolean::not(a),
&Boolean::not(b),
)?))
}
Using this implementation of OR reduced the number of constraints in a SHA1 compression function from 16706 to 15426. See commit here.
The reason more constraints were required in the current PR is that an AllocatedBit was being allocated in the or_not_allocated_bits, nand_allocated_bits, and or_allocated_bits functions. This allocation was to get around the fact that the fields of AllocatedBit are private, preventing a direct creation of the struct as follows. Such creation occurs in the boolean module of bellpepper-core.
Closing this PR as there is a simpler way to implement the OR gate.
@porcuquine pointed me to the following OR gadget in the Lurk codebase which uses De Morgan's law to implement OR using NOT and AND.
Using this implementation of OR reduced the number of constraints in a SHA1 compression function from 16706 to 15426. See commit here.
The reason more constraints were required in the current PR is that an
AllocatedBit
was being allocated in the or_not_allocated_bits, nand_allocated_bits, and or_allocated_bits functions. This allocation was to get around the fact that the fields ofAllocatedBit
are private, preventing a direct creation of the struct as follows. Such creation occurs in theboolean
module ofbellpepper-core
.I will be deleting the
sha1
branch. Those interested in what was in the commit can find it in this branch in my fork ofbellpepper-gadgets
.