Main Circuits
This iden3 circuits are the heart of the protocol. The main ones are:
stateTransition.circom
, checks the execution of the identity state transition by taking the old identity state and the new identity state as inputs.authV2.circom
, checks that the prover is owner of an identity.credentialAtomicQueryMTPV2.circom
, checks that a claim issued to the prover (and added to issuer's Claims Tree) satisfies a query set by the verifier.credentialAtomicQueryMTPV2OnChain.circom
, checks that a claim issued to the prover (and added to issuer's Claims Tree) satisfies a query set by the verifier and the verifier is a smart contract.credentialAtomicQuerySigV2.circom
checks that a claim issued to the prover (and signed by the Issuer) satisfies a query set by the verifier.credentialAtomicQuerySigV2OnChain.circom
checks that a claim issued to the prover (and signed by the Issuer) satisfies a query set by the verifier and the verifier is a smart contract.
You can find all the source code on Github - Iden3 Circuits. All the proving and verification keys necessary to use the circuits were generated after a Trusted Setup Ceremony. Details here: Iden3 Protocol Phase2 Trusted Setup Ceremony
stateTransition
Instantiation Parameters
idOwnershipLevels
Merkle tree depth level for Identity Trees (claims Tree, revocation Tree and roots Tree)
Inputs
Input | Description | Public or Private |
---|---|---|
userID | Prover's (Genesis) Identifier | Public |
oldUserState | Prover's Identity State (before transition) | Public |
newUserState | Prover's Identity State (after transition) | Public |
isOldStateGenesis | "1" indicates that the old state is genesis: it means that this is the first State Transition, otherwise "0" | Public |
claimsTreeRoot | Prover's Claims Tree Root | Private |
authClaimMtp[idOwnershipLevels] | Merkle Tree Proof of Auth Claim inside Prover's Claims tree | Private |
authClaim[8] | Prover's Auth Claim | Private |
revTreeRoot | Prover's Revocation Tree Root | Private |
authClaimNonRevMtp[idOwnershipLevels] | Merkle Tree Proof of non membership of Auth Claim inside Prover's Revocation Tree | Private |
authClaimNonRevMtpNoAux | Flag that indicates whether to check the auxiliary Node | Private |
authClaimNonRevMtpAuxHv | Auxiliary Node Value | Private |
authClaimNonRevMtpAuxHi | Auxiliary Node Index | Private |
rootsTreeRoot | Prover's Roots Tree Root | Private |
signatureR8x | Signature of the challenge (Rx point) | Private |
signatureR8y | Signature of the challenge (Ry point) | Private |
signatureS | Signature of the challenge (S point) | Private |
newClaimsTreeRoot | Claim Tree Root of the Prover after State Transtion is executed | Private |
newAuthClaimMtp[IdOwnershipLevels]; | Merkle Tree Proof of existance of the Prover's Auth Claim inside the Claims Tree after State Transtion is executed | Private |
newRevTreeRoot | Revocation Tree Root of the Prover after State Transtion is executed | Private |
newRootsTreeRoot | Roots Tree Root of the Prover after State Transtion is executed | Private |
Scope
- If oldState is genesis, verifies that userID is derived from the oldUserState (= genesis state). Performed using
cutId()
,cutState()
andisEqual()
templates - newUserState is different than zero using
isZero()
comparator - oldUserState and newUserState are different using
isEqual()
- Verifies user's identity ownership using
idOwnershipBySignature(IdOwnershipLevels)
template. The challenge signed by the user isH(oldstate, newstate)
whereH
is a Poseidon hash function executed inside thePoseidon(nInputs)
template - Verifies that the auth claim exists in the
newClaimsTreeRoot
usingcheckClaimExists(IdOwnershipLevels)
template - Verifies that the new state (
newUserState
) matches the hash of the new claims tree root (newClaimsTreeRoot
), revocation tree root (newRevTreeRoot
) and roots tree root (newRootsTreeRoot
) usingcheckIdenStateMatchesRoots()
authV2
Instantiation Parameters
IdOwnershipLevels
Merkle tree depth levels for Identity Trees (claims Tree, revocation Tree and roots Tree)onChainLevels
Merkle tree depth of GIST stored on chain
Inputs
Input | Description | Public or Private |
---|---|---|
genesisID | genesis ID of the prover | Private |
profileNonce | Random number, stored by the user | Private |
state | Prover's Identity State | Private |
claimsTreeRoot | Prover's Claims Tree Root | Private |
revTreeRoot | Prover's Revocation Tree Root | Private |
rootsTreeRoot | Prover's Roots Tree Root | Private |
authClaim[8] | Prover's Auth Claim | Private |
authClaimIncMtp[IdOwnershipLevels] | Merkle Tree Proof of Auth Claim inclusion inside Prover's Claims tree | Private |
authClaimNonRevMtp[IdOwnershipLevels] | Merkle Tree Proof of non inclusion of Auth Claim Nonce inside Prover's Revocation Tree | Private |
authClaimNonRevMtpNoAux | Flag that indicates whether to check the auxiliary Node | Private |
authClaimNonRevMtpAuxHi | Auxiliary Node Index | Private |
authClaimNonRevMtpAuxHv | Auxiliary Node Value | Private |
challenge | Message to be signed by the Prover to prove control of an Identity | Public |
challengeSignatureR8x | Signature of the challenge (Rx point) | Private |
challengeSignatureR8y | Signature of the challenge (Ry point) | Private |
challengeSignatureS | Signature of the challenge (S point) | Private |
gistRoot | Root of the GIST stored on chain | Private |
gistMtp[onChainLevels] | Merkle Tree Proof of Inclusion of the user state inside the global state | Private |
gistMtpAuxHi | Auxiliary Node Index | Private |
gistMtpAuxHv | Auxiliary Node Value | Private |
gistMtpNoAux | Flag that indicates whether to check the auxiliary Node | Private |
Output
Input | Description | Public or Private |
---|---|---|
userID | Identifier of the user, assigned to H(genesisID, nonce) if nonce != 0, assigned to genesisID if nonce = 0 | Public |
Scope
- Prover is owner of an identity by signing a message using
idOwnershipBySignature
template - Checks that the user state is included in the GIST by using the SMTVerifier(onChainLevels)
- Calculate the
userID
as H(genesisID, nonce) if nonce != 0, assigned to genesisID if nonce = 0 as output it. This is the public Identity Profile of the user
credentialAtomicQueryMTPV2
The circuit takes a query by a verifier and a claim owned by the prover and generate a proof that the claim satisfies the query. In particular, it checks that:
- Checks that the prover is owner of an identity by idOwnershipBySignature template
- Verifies that the identity is the subject of the claim
- Verifier that the claim is included in the issuer's claim tree
- Verifies that the claim schema matches the one in the query
- Verifies that the claim is not revoked by the issuer and is not expired
- Verifies that the query posed by the verifier is satisfied by the claim
credentialAtomicQueryMTPV2OnChain
This circuit should be used for smart contract verifiers. This circuits does all the checks that the the credentialAtomicQueryMTPV2 circuit does, plus the following:
- Check that prover controls the identity the same way as the AuthV2 circuit checks it
- Calculates hash of the query inputs, like claimSchema, slotIndex, operator, claimPathKey, claimPathNotExists and values as an output for all the query related inputs. This reduces the number of public inputs and much cheaper for Smart Contracts to verify the proof.
credentialAtomicQuerySigV2
This circuit checks that an issuer has issued a claim for identity and validates ownership of that identity in the following manner:
- Checks that the prover is owner of an identity by idOwnershipBySignature template
- Verifies that the identity is the subject of the claim
- Verifier that the claim was signed by the issuer
- Verifies that the claim schema matches the one in the query
- Verifies that the claim is not revoked by the issuer and is not expired
- Verifies that the query posed by the verifier is satisfied by the claim
credentialAtomicQuerySigV2OnChain
This circuit should be used for smart contract verifiers. This circuits does all the checks that the the credentialAtomicQuerySigV2 circuit does, plus the following:
- Check that prover controls the identity the same way as the AuthV2 circuit checks it
- Calculates hash of the query inputs, like claimSchema, slotIndex, operator, claimPathKey, claimPathNotExists and values as an output for all the query related inputs. This reduces the number of public inputs and much cheaper for Smart Contracts to verify the proof.