Here is bellman pedersen hash example, written with ethereum bellman fork, designed by Matter Labs.

main.rs contains a circuit for the statement "I know x such that pedersen(pedersen(pedersen(pedersen(pedersen(x))))) == y"

cargo build --release

cargo run --release runs the example proof in the main file.

cargo run --release --no-default-features runs the proof in single threaded mode

To construct a circuit, first flatten your program into its constituent steps.

Allocate the variables, then enforce the constraints.

Enforcing the constraint takes the form of A * B = C. (is a linear combination, vectors of all your variables)

The lc in the cs.enforce function stands for "linear combination", and is an inner product of all the variables with some vector of coefficients.

These examples use the function generate_random_parameters to generate a random set of parameters for testing. For real use cases, these parameters would have to be generated securely, through a multi-party computation.

To create a proof, instantiate a version of the struct that is passed into the circuit, with the inputs to the circuit.

In these examples, the function create_random_proof is used to create a random groth16 proof.

To verify a proof, prepare the verifying key by passing in params.vk to prepare_verifying_key. This gives you the prepared viewing key, pvk.

The function verify_proof takes the prepared viewing key pvk, the proof, and the output as an array.