halo
halo copied to clipboard
Implement variable-bound range proofs
The Bitcoin example recursive circuit needs to enforce:
-
hash <= target
(to ensure the block header satisfies the required work) -
remainder <= target
(as part of constraining the integer division2^256 / (target + 1) = work
)
target
is expanded from the header's nBits
field, and thus is almost never a power of two, requiring a variable-bound range proof.
I recommend implementing the power-of-two range proof as a separate gadget, and then implementing this in terms of that one.