Comments (5)
Hi Yuan,
Thanks for your interest in jsnark.
Prover witness wires are secret by default (similar to Pinocchio's NIZKInput) and are not revealed to the verifier, unless the programmer chooses to make them part of the public statement (as in the example you are referring to), or of course in the case that the verifier can figure their values out by running the computation itself if possible.
In the division example, secrecy is not important, and the verifier can figure out the witness value as long as the inputs are public. The purpose of introducing a prover witness wire here was to show how to do some things in a more efficient way when you are writing circuits for zk-SNARKs. In cases like this, the programmer does not have to compute the result in the circuit, but it's possible to introduce the solution as a witness and just verify one or more constraints about it.
On the other hand, if you give a look to the example here: you will see prover witness wires created in the beginning. These are going to remain secret in this example, and what will only be public are their hashes as computed by the gadgets. In other words, the circuit here proves the knowledge of SHA-2 preimages in this example among other things.
from jsnark.
Thanks so much for your kindly explaining. It really helps me a lot.
from jsnark.
Hi Ahmed @akosba
I was trying to understand the last part of your above reply. You have mentioned:
the circuit here proves the knowledge of SHA-2 preimages in this example among other things.
I went trough the referenced circuit: AugmentedAuctionCircuitGenerator, to understand how it proves the knowledge of SHA-2 preimages.
However, what that circuit does (among other things) is, computing set of SHA256 digests of (concatenated) secrets. Those digests serve as commitments for parties' input and output balances. Here, the verifier learns the SHA256 digests of 'some' concatenated secrets. But that does not prove to the verifier that the prover knows the correct pre-images of any given SHA256 digests. Therefore, I am bit confused about what kind of zero-knowledge proof is expected by the augmentation work done by the aforementioned circuit.
Is this the expected way of proving the knowledge of SHA-2 preimages?
Thank you very much! I would appreciate a lot any clarifications.
from jsnark.
Is this the expected way of proving the knowledge of SHA-2 preimages?
There can be more than one way.
- You can let the expected digest be an input to the circuit, and let the prover provide the preimage as a witness. You can then compute the digest of the prover's witness and finally assert the equality of both the expected and computed digests. I guess this is the approach you have in mind. Here, the statement will be (input: {expected digest}, output: {}). (By the statement here, I mean the public I/O that the verifier sees).
- Another way is not to provide any input to the circuit, let the prover provide a preimage as a witness, and just make the statement include the output of the gadget directly. Now, the prover will have the freedom to produce any valid proof for any digest, but simply the verifier won't accept the proof and the statement unless the statement looks like this: statement = (input= {}, output = {expected digest}). In other words, we moved the assertion away from the circuit, and will only accept a statement that has a specific property. If the prover sends a valid proof for that particular statement, it will mean that it knows the preimage.
Both methods achieve the requirement. The first one looks easier to follow, and the second saves the coding of few checks/adding input wires.
If you go through the jsnark-libsnark C++ interface code, you will find that both the input and outputs of the circuit are mapped to "primary input" in libsnark (as mentioned in the jsnark readme), i.e. both kinds of wires are eventually dealt with in a similar manner.
from jsnark.
Thank you very much Ahmed @akosba for the detailed explanation. I appreciate it a lot.
from jsnark.
Related Issues (20)
- A Trivial Issue: setWireValue(Wire w, long v) HOT 2
- What License is this? HOT 1
- `make` fails for missing includes HOT 3
- JAVA Version
- SHA 256 gadget's output wires have negative id HOT 2
- Questions about RSAEncryptionV1_5_Gadget HOT 2
- Using AES128CipherCircuitGenerator with plaintexts of size more than 16 bytes HOT 2
- Clarifying the use of the input parameter 'bitwidthPerInputElement' in SHA256 gadget HOT 3
- verifying proof on blockchain HOT 2
- toturial
- LongElement multiplication without creating prover witness wires. HOT 1
- HELP: how to implement a solution in practice?
- Change the curve HOT 2
- Computing scalar multiplication using a negated scalar, on the Elliptic Curve HOT 2
- How to initialize a number on the prime field? HOT 1
- cmake failed HOT 2
- libsnark fails for circuits with checkNonZero depending on execution order HOT 2
- How to recover circuit output from two files HOT 3
- Questions about RSAEncryptionCircuitGenerator HOT 2
- Floating point exception (core dumped)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from jsnark.