Difference between primary_input and auxiliary_input
oj01ol opened this issue · comments
Hi,
In the r1cs_zk_proof_systems, there are two inputs called primary_input and auxiliary_input constitute the witness of prover. Could I please know what is the difference of the two inputs and why primary_input is needed in verification methods? Doesn't the primary_input is the secret own by prover?
There is an example verification in r1cs_ppzksnark.tcc
bool r1cs_ppzksnark_online_verifier_weak_IC(const r1cs_ppzksnark_processed_verification_key<ppT> &pvk,
const r1cs_ppzksnark_primary_input<ppT> &primary_input,
const r1cs_ppzksnark_proof<ppT> &proof)
{
libff::enter_block("Call to r1cs_ppzksnark_online_verifier_weak_IC");
assert(pvk.encoded_IC_query.domain_size() >= primary_input.size());
libff::enter_block("Compute input-dependent part of A");
const accumulation_vector<libff::G1<ppT> > accumulated_IC = pvk.encoded_IC_query.template accumulate_chunk<libff::Fr<ppT> >(primary_input.begin(), primary_input.end(), 0);
const libff::G1<ppT> &acc = accumulated_IC.first;
libff::leave_block("Compute input-dependent part of A");
I would appreciate any insights/clarifications on this.
Thank you.
emm...
primary_input
could be seen as public inputs, and auxiliary_input
is the secret inputs.
Thanks for your reply!
It makes sense that the primary_input
is the public inputs. But in the r1cs_examples.tcc, the primary_input
is generated randomly and the auxiliary_input
is calculated based on the primary_input
. Does this means that if a verifier get the primary_input
and the constraint_system
it can calculate the auxiliary_input
? Is there a problem here?
zero knowledge means that a verifier cannot learn anything about the auxiliary input, other than what can already be computed from the public input, and the output. In the case of the r1cs example, it uses a very simple constraint system, so the auxiliary input is deterministic off of the primary input, so there is nothing that one could hope to be hidden by zero knowledge.
For more complex constraint systems, where knowledge of the primary input does not imply knowledge of the auxiliary input, that would not be possible.