# Muh Privacy: Separating public and private inputs

We shall address how our equation changes to allow for both public and private inputs.

Let’s recap; the prover calculates the following EC points:

<figure><img src="https://1983523492-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F0nwEx8a60yETwfNYnenT%2Fuploads%2FRITR3VMF6pdvbmL7FCwF%2Fimage.png?alt=media&#x26;token=6ec64013-eafd-49ba-918c-9a043a1e0bab" alt=""><figcaption></figcaption></figure>

And the verifier will calculate pairing( **`α[G1]`**, **`β[G2]`**) and the equality:

<figure><img src="https://1983523492-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F0nwEx8a60yETwfNYnenT%2Fuploads%2FpZURM7D6EChuLXsPswa6%2Fimage.png?alt=media&#x26;token=cde657e6-79ea-4457-9267-085af800b9e7" alt=""><figcaption></figcaption></figure>

Let us split our previously used witness into public and private inputs:

<figure><img src="https://1983523492-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F0nwEx8a60yETwfNYnenT%2Fuploads%2Fh5FXAjwrXsrY6iO1d67a%2Fimage.png?alt=media&#x26;token=79ff6eb8-9e40-46db-950e-bd71fcd66a6f" alt=""><figcaption></figcaption></figure>

* Here we assume that the public inputs are 1 and out; and the rest are private inputs.
* Public inputs are handled by the verifier
* Private inputs are handled by the prover

As much as we are splitting the witness vector up based on privacy, this only impacts the construction of `[C]`. \[A] and \[B] remain unchanged.

* \[C] is computed over private inputs by the prover
* \[C] is computed over public inputs by the verifier

This means that the prove computes a fragment of \[C] and passes it to the verifier, which then computes the remaining public fragment, obtaining the whole piece; then proceeding to verify the proof.

### **Splitting `[C]`**

*Note that while we use polynomial expression (W\.a and so forth), it should be synonymous with their respective EC point forms.*

<figure><img src="https://1983523492-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F0nwEx8a60yETwfNYnenT%2Fuploads%2FxRIQOf9qHeKU1puX4lIE%2Fimage.png?alt=media&#x26;token=249456eb-f048-40c7-bf98-5d66d2ab3e31" alt=""><figcaption></figcaption></figure>

* For the verifier, the summation symbol starts with 0 and ends with 1, indicating the 1st and 2nd term of the witness vector: $a\_i: a\_0, \space a\_1$
  * $$a\_0$$: `1`
  * $$a\_1$$: `out`
* Notice that the prover is responsible for calculating `[HT]`, and the verifier handles `[αβ]`
* Given the new breakdown of `[C]`, the verifier key will have to accommodate the necessary EC data. We will address what the final proving and verifier key are at the end.

#### Alternative visual

<figure><img src="https://1983523492-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F0nwEx8a60yETwfNYnenT%2Fuploads%2FMTnqYmLed2JLjiiFvilJ%2Fimage.png?alt=media&#x26;token=84f4cc2c-62c2-409b-9542-2218074ec950" alt=""><figcaption></figcaption></figure>

### Preventing forgeries due to splitting \[C] **with γ and δ**

There is nothing preventing a malicious prover from using public inputs to, uhh, somehow magically create a valid forged proof.

To negate this attack vector, we introduce another set of greek alphabets: γ and δ.

* The verifier fragment of \[C] is divided by **γ**
* The prover fragment of \[C] is divided by **δ**
* These values are randomly sampled during the trusted phase setup

**What this looks like:**

<figure><img src="https://1983523492-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F0nwEx8a60yETwfNYnenT%2Fuploads%2FrigMhFmkMn8OOtxNxGSQ%2Fimage.png?alt=media&#x26;token=eb77967d-d046-41ed-a568-0371069a2e0b" alt=""><figcaption></figcaption></figure>

### Verification with γ and δ

$$
e(\[A]\_1, \[B]*2)  \stackrel{?}{=} e(\[C*{private}]\_1, \[γ]*2) + e(\[C*{public}]\_1, \[δ]\_2) + e(\[α]\_1, \[β]\_2)
$$

* Prover generates EC points: \[A], \[B], \[C\_private]
* Verifier generates EC points: \[C\_public]
* Verifier calculates the 4 bilinear mappings as seen above, and checks for equality
* The following values are randomly sampled during the trusted setup phase:
  * **γ**, **δ, α, β and τ**
  * are communicated as EC points of different groups to the verifier to obfuscate their values.

### Trusted Setup

<figure><img src="https://1983523492-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F0nwEx8a60yETwfNYnenT%2Fuploads%2FgoocxjN5iX4Avt5i4QiW%2Fimage.png?alt=media&#x26;token=3d7d9aad-0f7b-4b10-9e12-8d3846f61e87" alt=""><figcaption></figcaption></figure>

<figure><img src="https://1983523492-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F0nwEx8a60yETwfNYnenT%2Fuploads%2Fi7Rt1yZuhUjIoFe2yGC8%2Fimage.png?alt=media&#x26;token=4b176ab3-22b0-4c4a-aa2e-a3ff61064723" alt=""><figcaption></figcaption></figure>

### Last Problem: Guessability

If the range of values over witness vector variables can take are very small and therefore easily guessable; e.g. a binary variable that only be either 1 or 0.

In such a situation, an attacker can iterate through a list of guesses of proofs to generate a legitimate one.

**Solution**

* The solution is to introduce more greek alphabets - for salting/random shifting, of course.
* In this case, we will introduce **`r`** and **`s`**.
* r & s are introduced in the proving phase. (Not trusted setup)
* Prover randomly samples 2 field elements.

<figure><img src="https://1983523492-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F0nwEx8a60yETwfNYnenT%2Fuploads%2FYLsS66hvGNwK1aGNjPHx%2Fimage.png?alt=media&#x26;token=e5ab7352-3412-4bca-94b5-db0a8e60f170" alt=""><figcaption></figcaption></figure>

* Both **`[A]`** and **`[B]`** are shifted with the introduction of **`r`** and **`s`**; similar to the introduction of alpha and beta
* Prover needs to use one of the EC points within the proving key to raise both `r` and `s` into EC points themselves; hence the use of **`[δ]`**

Obviously with the introduction of new variables we need to balance the equality. Though the question is how:

<figure><img src="https://1983523492-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F0nwEx8a60yETwfNYnenT%2Fuploads%2FoSDTmVQExf2ZsAkmwtkl%2Fimage.png?alt=media&#x26;token=867cdc13-d23f-4376-a14a-aa8ff728d4db" alt=""><figcaption></figcaption></figure>

* By this point it should be evident to the reader how `sU` and `rV` map to `s[A]` and `r[B]`.
* There might be some initial confusion as to why the last term is `- rs[δ]` and not perhaps `+ rs[δ]`
* **This is why:**

<figure><img src="https://1983523492-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F0nwEx8a60yETwfNYnenT%2Fuploads%2FGSHCK8emXnPEZd42qtKJ%2Fimage.png?alt=media&#x26;token=779f74ad-ea94-4286-9a8d-a41c7fd8adb8" alt=""><figcaption></figcaption></figure>

* **`sU`** and **`rV`** are actually representative of the old **`[A]`** and **`[B]`** points; pre-shifting with **`r`** and **`s`**.
* Whereas **`s[A]`** and **`r[B`**`]` introduced as balancing terms to the RHS, are reflective of the new **`[A]`** and **`[B]`** points; inclusive of the shifting caused by **`r`** and **`s`**.
* Instead of using the “old” points. we use the new points and negate the extra **`rs`** term.

This means we now need a **`[B]`** and **`[δ]`** in **G1**, as part of balancing **\[C]** - amongst other additions to the trusted setup phase. We will list the final variables in the next section.