search

scipr-lab / libsnark

C++ library for zkSNARKs
Other
1.84k stars 585 forks source link

Difference between primary_input and auxiliary_input #154

Open oj01ol opened 5 years ago

oj01ol commented 5 years ago

Hi,

In the r1cs_zk_proof_systems, there are two inputs called primary_input and auxiliary_input constitute the witness of prover. Could I please know what is the difference of the two inputs and why primary_input is needed in verification methods? Doesn't the primary_input is the secret own by prover?

There is an example verification in r1cs_ppzksnark.tcc

bool r1cs_ppzksnark_online_verifier_weak_IC(const r1cs_ppzksnark_processed_verification_key<ppT> &pvk,
                                            const r1cs_ppzksnark_primary_input<ppT> &primary_input,
                                            const r1cs_ppzksnark_proof<ppT> &proof)
{
    libff::enter_block("Call to r1cs_ppzksnark_online_verifier_weak_IC");
    assert(pvk.encoded_IC_query.domain_size() >= primary_input.size());
    libff::enter_block("Compute input-dependent part of A");
    const accumulation_vector<libff::G1<ppT> > accumulated_IC = pvk.encoded_IC_query.template accumulate_chunk<libff::Fr<ppT> >(primary_input.begin(), primary_input.end(), 0);
    const libff::G1<ppT> &acc = accumulated_IC.first;
    libff::leave_block("Compute input-dependent part of A");

I would appreciate any insights/clarifications on this.

Thank you.

jiangyuzhao commented 5 years ago

emm... primary_input could be seen as public inputs, and auxiliary_input is the secret inputs.

oj01ol commented 5 years ago

Thanks for your reply!

It makes sense that the primary_input is the public inputs. But in the r1cs_examples.tcc, the primary_input is generated randomly and the auxiliary_input is calculated based on the primary_input. Does this means that if a verifier get the primary_input and the constraint_system it can calculate the auxiliary_input? Is there a problem here?

ValarDragon commented 5 years ago

zero knowledge means that a verifier cannot learn anything about the auxiliary input, other than what can already be computed from the public input, and the output. In the case of the r1cs example, it uses a very simple constraint system, so the auxiliary input is deterministic off of the primary input, so there is nothing that one could hope to be hidden by zero knowledge.

For more complex constraint systems, where knowledge of the primary input does not imply knowledge of the auxiliary input, that would not be possible.