Question: How to verify if a public witness is associated with certain public inputs?

[Teja2045]

How do the verifier make sure that the proof is indeed related to given Hash (public input). Is there a way to verify this? If Im not wrong, the public witness might help here, but I am not sure how?

I have a simple Mimc circuit here

type MimcCircuit struct {
	PreImage frontend.Variable
	Hash     frontend.Variable `gnark:",public"`
}

func (circuit *MimcCircuit) Define(api frontend.API) error {

	mimc, _ := mimc.NewMiMC(api)

	mimc.Write(circuit.PreImage)

	api.AssertIsEqual(circuit.Hash, mimc.Sum())
	return nil
}

and

       var circuit MimcCircuit
	ccs, _ := frontend.Compile(ecc.BN254.ScalarField(), r1cs.NewBuilder, &circuit)

	pk, vk, _ := groth16.Setup(ccs)

	dummyData := utils.GetDummyHashedData()
	assignment := MimcCircuit{
		PreImage: dummyData.Data,
		Hash:     utils.HexStringToByteArray(dummyData.HashString),
	}

	witness, _ := frontend.NewWitness(&assignment, ecc.BN254.ScalarField())

	publicWitness, _ := witness.Public()

	fmt.Println("hash string is ", dummyData.HashString)
	fmt.Println("hash by array is ", utils.HexStringToByteArray(dummyData.HashString))
	fmt.Println("------------ Public Witness is ", publicWitness, "--------------")

	proof, _ := groth16.Prove(ccs, pk, witness)

	groth16.Verify(proof, vk, publicWitness)

[Tabaie]

The public witness contains exactly the values designated as public. How they are incorporated into the verification process depends on the proof system, but in general it involves something similar to a "homomorphic" commitment scheme (Pedersen in the case of Groth16, and KZG for PlonK.)

[ThomasPiellard]

Hi, not sure if I understand your issue correctly, is your question about 1) how does groth16 deal with public inputs in general or 2) do you want to know how to bound a hash to public values inside of a circuit ? In the case of 1) the proof simply doesn't pass if the public inputs are not related to the proof. For 2), you could instead of having a lot of public inputs, hash them, make the hash public, make the public inputs private, and prove inside of the circuit that the now public hash corresponds to the hash of the private (formerly public) inputs

[Teja2045]

@Tabaie @ThomasPiellard thanks for the replies. Let me rephrase my question again.

Inputs 1: data-1, Hash 1
Inputs 2: data-2, Hash 2

First inputs will generate zkProof-1, and second will generate zkProof-2.. but how do the verifier can differentiate between them? That zkProof-1 is indeed of Hash-1 and zkProof-2 is indeed of Hash-2?

@Tabaie answer does give the idea but I don't have much background in crypto graphy. So it would great if there is any high level code example or libraries I can refer.

Thank you.

[ThomasPiellard]

ok so it was my option 1) I think, so the verifier works by doing a succint computation (namely some pairings in the case of plonk and groth16) on a tuple (public inputs, proof, verification key). A proof contains different components, a part P1 that depends on all the inputs (public and private) and a part P2 that depends only on the private inputs. To verify a proof, the P2 part needs to be completed by the verifier using a set of public inputs and the proof passes only if the P2 part is completed with the public inputs that were used in the computation of P1. As @Tabaie said in plonk and groth16 P2 is a KZG commitment to the private inputs, and at some point in the verification process we need a commitment to all the inputs, so the verifier computes on its own a commitment to the public inputs PI and obtains the commitment to all the inputs by adding P2 and PI. If 'PI' is wrong, the whole commitment is wrong and the proof doesn't pass, if you look at the plonk verifier for instance PI is computed in the scope here https://github.com/Consensys/gnark/blob/master/backend/plonk/bn254/verify.go#L115

[Teja2045]

"so the verifier computes on its own a commitment to the public inputs PI.."

I think this answers my questions. Does the public_witness play it's part here?

If the public_witness is encrypted data of public data( homomorphic hidings or something), can a verifier check if the public_witness is indeed of the given Hash (public data).

Sorry if I'm being confusing. I am new to ZK stack. I just want to know how can the verifier differentiate between Valid zk-proofs of same circuits at HIGH LEVEL.

If the method was something like this
groth16.verify(proof, vk, Hash (or whatever public data), It would be way clearer..

[ThomasPiellard]

yes the public_witness plays its part in the computation of PI. But I don't understand the last remark, the signature of Verify is Verify(proof Proof, vk VerifyingKey, publicWitness witness.Witness, opts ...backend.VerifierOption) so you have the public witness part involved

[Teja2045]

At a HIGH level,

Problem statement:
Someone (proover) is claiming that he knows certain Data ( secret input) that hashes to Hash-1 (public data)

The prover sent ZkProof, public witness to me (verifier)

I run the groth16.verify(zkProof, public witness, vk) and can be assured that the proof is indeed right.

But whether if it's the zkProof or public Witness, they are more some encrypted data. It could be any valid inputs ( valid data that hashes some valid Hash).. but How can I make sure it is not some random valid inputs but the Hash-1 ( the one I'm expecting).

[Teja2045]

Or simply,

Can I independently construct public_witness knowing the public inputs of the circuit or vice versa ?

[ThomasPiellard]

yes public_witness and public inputs are the same thing, and it's not encrypted, in your example the raw result of the hash is used as public input, it's not encrypted or anything

[Teja2045]

I see. So it's just a matter of encoding and decoding.

Thanks a lot for your time. I'm new to gnark and this has been bugging me a lot. I didn't find any example or unit test ensuring this check, so it was hella confusing.

Thanks again 😀