# #5 Circom: Witness, Proof generation and Verification ## Recap: Signal operators * `===` : used to constraint two signals * `←—` : used to assign a value to a signal * `<==` : assign and constraint (combines the above two operators) #### Example ```jsx template Main() { // inputs signal input a; signal input b; // intermediate signal x; signal y; // assignments x <-- a + 3; // constraints a === b; x === a + 3; y <== a + 3; } ``` * `x <-- a + 3` : `x` is **assigned** the value of input signal `a` incremented by 3. * `x === a + 3` : `x` is **constrained** against the value of input signal `a` incremented by 3. * `y <== a + 3` : `y` is **assigned** **&** **constrained** against the value of input signal `a` incremented by 3. Essentially, the two operations with `x` can be simplified to one operation as seen with `y`. ## Use `<==` with intermediate signals In the previous article, we use a combination of `<--` and `===` to introduce our intermediate signal `prod`. We could have simply used a single `<==` operator: ```jsx template Mul3() { // input signals signal input a; signal input b; signal input c; signal input res; // intermediate signal: declaration signal prod; // quadratic constraints prod <== a * b; res === prod * c; } ``` The `<==` operator does two operations under the hood: 1. assign `prod` the value of `a * b`, 2. constraint `prod` against said value. The question we left the reader with was: \ ‘*Why constraint `prod === a * b`? Why is assignment alone insufficient?*’.
To answer this question we first explore what happens to circuits during and after compilation. ## **Witness, Proof generation and Verification** Let’s examine how a proof is generated and verified using the example above: ```jsx template Mul3() { // input signals signal input a; signal input b; signal input c; signal input res; // intermediate signal: declaration signal prod; // quadratic constraints prod <== a * b; res === prod * c; } ``` The process of compiling this circuit creates a number of artifacts that are meant to help with: 1. Witness generation 2. Low-level representation of constraints

### **Witness generator** * The artifacts pertaining to witness generation assists with calculating intermediate signals from the primary inputs (signal inputs). * This is helpful since the prover expects a witness as input. Meaning to say, we are expected to supply the intermediate signal values as well. **Hence, we see that the witness generator accounts for operations involving ****`<--`**** .** ### **Low-level representation of constraints** * This is to be fed into a zkSNARK generator like snarkjs, to generate a **prover** and **verifier**. * The prover component can be integrated with some web app, while the verifying component could be integrated into a smart contract or server. * ~~Since the compiler places restrictions on how the `===` and `<==` can be used, the resulting system of constraints are of R1CS form.~~ #### Example illustration

* The prover expects inputs values in-line with the dimensions of the witness vector; intermediate signals and all. * From this, it generates a proof. * The verifier serves to confirm if the proof provided to it is valid or not. **Consequently, an attacker has two channels of attack:** 1. Supply the prover with tailored witness values, to generate a valid proof 2. Attack the verifier directly by supplying it with a tailored proof Now let’s review and answer the original question in the next section. ### Why assign and **constraint** `prod`? Why is `prod <== a * b` necessary, and `prod <-- a * b` insufficient? Using only `<--` will leave the prover vulnerable to be exploited via tailored witness values. It will produce seemingly valid proofs without checking to ensure prod is constrained. Similarly, the verifier will accept these proofs. Let us illustrate this:

* Witness generation remains unchanged * System of constraints changes; `prod === a * b` is dropped This means that when we feed the constraints generated on compilation to a zkSNARK generator, the generated prover and verifier will not ensure that `prod` is equivalent to `a * b`. * prover expects `prod` to be supplied together with the other witness values, * prover will not check that `prod` honours the relationship `prod = a * b;` * prove will only generate a proof based on `res === prod * c;` * verifier will only check that proofs honour the constraint `res === prod * c;` In short, the circuit only verifies that `res === prod * c`. This is why it is crucial to **assign and constraint intermediate signals**. Else, the outcome is an under-constrained circuit. *Remember, while the compiler produces witness generator artifacts for our convenience, it does not mean an attacker must use it. An attacker could pass tailored values to the prover, especially if its under-constrained. We will illustrate this in the exercise section.* It is crucial to understand that we can pass any values we want to a prover. The prover will only check that those inputs honour defined constraints and generate a proof. The prover has no concept of witness generation. ### **Takeaway: use ****`<==`**** when assigning to intermediate signals** * using only `<--` with intermediate signals is dangerous, because there is no constraint that ‘protects’ the assignment. * hence, the common use of `<==` in circuit definitions. That leaves us with a final question; when should we be using `<--` all by its lonesome? ## When to use assignment operator: `<—-` Let’s say you want to verify that you know some values x1, x2, x3, x4, out, such that, `out = [(x1 + x2) / x3] - x4`. How would this circuit be constructed? Since constraints must be constructed as quadratic expressions, we need to breakdown the equation into intermediate parts. Like so: * `y1 = x1 + x2` * `y2 = y1 / x3` * `out = y2 - x4` This is how the circuit would look like: ```rust template Main() { // input signals signal input x1; signal input x2; signal input x3; signal input x4; signal output out; // intermediate signals signal y1; signal y2; // calc. intermediate values y2 <-- y1 / x3; // constraints can only have quadratic expressions // can only use + or * or - y1 <== x1 + x2; y1 === y2 * x3; out <== y2 - x4; } component main = Main(); ``` * division is non-quadratic; cannot be used in constraint definition. * cannot express the `y2 = y1 / x3` as a constraint in Circom Therefore, we compute the values of the intermediate signals separately, before defining the constraints. `y2 = y1 / x3` is expressed in two parts: * `y2 <-- y1 / x3;` * `y1 === y2 * x3;` At this point, you should have gotten a good understanding of using `<==` and `<--` . \ Other common places you will notice and be expected to use `<==` is with **components** and **output signals.** Output signals (`signal output out`) would be new to the reader. We will cover this in the next article. *** ## Exercise This exercise will serve to illustrate the folly of using `<--` alone, without constraining the intermediate signal. In an empty directory create `negative.circom`, with the following code: ```jsx pragma circom 2.1.8; template Mul3() { // input signals signal input a; signal input b; signal input c; signal input res; // intermediate signal: declaration signal prod; // quadratic constraints prod <-- a * b; res === prod * c; } component main = Mul3(); ``` **Compile the circuit** * **`circom negative.circom --r1cs --sym --wasm`** * Sanity check on terminal output: `non-linear constraints: 1` **Examine the R1CS file** * **`snarkjs r1cs print negative.r1cs`**

```jsx snarkJS: [ 21888242871839275222246405745257275088548364400416034343698204186575808495616main.prod ] * [ main.c ] - [ 21888242871839275222246405745257275088548364400416034343698204186575808495616main.res ] = 0 ``` There is only 1 constraint in this circuit, which is correctly reflected on compilation and in the R1CS file. **Generate the witness** * create `inputs.json` file in `./negative_js` directory * values passed will be as below {% code title="inputs.json" %} ```json {"a": "1","b": "2","c": "3", "res": "6"} ``` {% endcode %} * run: `node generate_witness.js **negative**.wasm inputs.json witness.wtns` * export to json: `snarkjs wtns export json witness.wtns` * `cat witness.json` should output: ```jsx [ "1", // 1 "3", // c "6", // res "2" // prod ] ``` The reader will observe in the layout of the witness, that intermediate signals are included, and come after input signals. However, the first two input signals, `a` and `b` have been omitted. This is because they are not involved in any constraint definition, and therefore have no place in the witness vector. **Verify `witness.wtns` against the circuit:** `snarkjs wtns check negative.r1cs witness.wtns` * this checks that the witness produced honors the systems of constraints * think of this as a proxy means to check if a computed witness would create a valid proof

The witness clears. \ Now let’s see how to **create a tailored witness** that would be accepted just the same. ### Exploiting the circuit First we re-compile our circuit with the following command: **`circom negative.circom --r1cs --sym --wasm --O0`** We add the **`--O0`** flag, to instruct the compiler to avoid simplifying the circuit on compilation. This will surface both `a` and `b` in the witness. See [constraint simplification](https://docs.circom.io/circom-language/circom-insight/simplification/) for more info. **Generate the witness** * create `inputs.json` file in `./negative_js` directory * values passed will be as below ```json {"a": "1","b": "2","c": "3", "res": "6"} ``` * run: `node generate_witness.js **negative**.wasm inputs.json witness.wtns` * export to json: `snarkjs wtns export json witness.wtns` * `cat witness.json`, should output: ```jsx [ "1", // 1 "1", // **a** "2", // **b** "3", // c "6", // res "2" // prod ] ``` Input signals `a` and `b` are now present in the witness. This is the consequence of using the **`--O0`** flag. #### Creating an exploit witness We are going to show that as long `res = prod * c`, the values of `a` and `b` do not matter. To that end, we will create a malicious witness by altering `witness.wtns`. While it would be preferable to alter `witness.json` to produce the required `witness.wtns`, neither Circom nor snarkjs have the necessary APIs. Hence, the following grease-monkey approach. **Create `view.js` in the same directory as `witness.wtns` with the following code:** ```jsx const fs = require('fs'); const path = require('path'); const witnessPath = path.join(__dirname, 'witness.wtns'); try { const witness = fs.readFileSync(witnessPath); let data_arr = new Uint8Array(witness); console.dir(data_arr, {'maxArrayLength': null}); } catch (error) { console.error(`Error reading witness file: ${error.message}`); } ``` **Running `view.js` will give us the following output in terminal:**

Observe that the values of our witness are laid out in the same sequential order as witness.json.

#### Modify witness values * Overwrite `witness.wtns` where the values for signals `a`, `b` are stored, with arbitrary values. * Create `edit.js` file in the same directory: {% code title="edit.js" %} ```jsx const fs = require('fs'); const path = require('path'); // Use path.join to create a full path to the witness.wtns file const witnessPath = path.join(__dirname, 'witness.wtns'); try { const witness = fs.readFileSync(witnessPath); let data_arr = new Uint8Array(witness); console.log("Before"); console.dir(data_arr, {'maxArrayLength': null}); data_arr[108] = 42; // `a` data_arr[140] = 69; // `b` console.log("After"); console.dir(data_arr, {'maxArrayLength': null}); // create exploit witness const exploitWitnessPath = path.join(__dirname, 'exploit_witness.wtns'); fs.writeFileSync(exploitWitnessPath, data_arr); } catch (error) { console.error(`Error reading witness file: ${error.message}`); } ``` {% endcode %} The After output should be like so:

Observe that only signals `a`, `b` are modified; the rest remain unchanged. **Verify ****`exploit_witness.wtns`**** against the circuit:** * `snarkjs wtns check negative.r1cs exploit_witness.wtns`

This indicates that the exploit witness will be accepted, even though `prod` is not the resulting product of `a` and `b`. This should be instructive in educating the reader the importance of assigning and constraining (`<==`) intermediate variables. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://calnix.gitbook.io/zk-notes/circom/5-circom-witness-proof-generation-and-verification.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.