Main Circuits

This iden3 circuits are the heart of the protocol. The main ones are:

stateTransition.circom, checks the execution of the identity state transition by taking the old identity state and the new identity state as inputs.
authV2.circom, checks that the prover is owner of an identity.
credentialAtomicQueryMTPV2.circom, checks that a claim issued to the prover (and added to issuer's Claims Tree) satisfies a query set by the verifier.
credentialAtomicQueryMTPV2OnChain.circom, checks that a claim issued to the prover (and added to issuer's Claims Tree) satisfies a query set by the verifier and the verifier is a smart contract.
credentialAtomicQuerySigV2.circom checks that a claim issued to the prover (and signed by the Issuer) satisfies a query set by the verifier.
credentialAtomicQuerySigV2OnChain.circom checks that a claim issued to the prover (and signed by the Issuer) satisfies a query set by the verifier and the verifier is a smart contract.

You can find all the source code on Github - Iden3 Circuits. All the proving and verification keys necessary to use the circuits were generated after a Trusted Setup Ceremony. Details here: Iden3 Protocol Phase2 Trusted Setup Ceremony

stateTransition

Instantiation Parameters

idOwnershipLevels Merkle tree depth level for Identity Trees (claims Tree, revocation Tree and roots Tree)

Inputs

Input	Description	Public or Private
userID	Prover's (Genesis) Identifier	Public
oldUserState	Prover's Identity State (before transition)	Public
newUserState	Prover's Identity State (after transition)	Public
isOldStateGenesis	"1" indicates that the old state is genesis: it means that this is the first State Transition, otherwise "0"	Public
claimsTreeRoot	Prover's Claims Tree Root	Private
authClaimMtp[idOwnershipLevels]	Merkle Tree Proof of Auth Claim inside Prover's Claims tree	Private
authClaim[8]	Prover's Auth Claim	Private
revTreeRoot	Prover's Revocation Tree Root	Private
authClaimNonRevMtp[idOwnershipLevels]	Merkle Tree Proof of non membership of Auth Claim inside Prover's Revocation Tree	Private
authClaimNonRevMtpNoAux	Flag that indicates whether to check the auxiliary Node	Private
authClaimNonRevMtpAuxHv	Auxiliary Node Value	Private
authClaimNonRevMtpAuxHi	Auxiliary Node Index	Private
rootsTreeRoot	Prover's Roots Tree Root	Private
signatureR8x	Signature of the challenge (Rx point)	Private
signatureR8y	Signature of the challenge (Ry point)	Private
signatureS	Signature of the challenge (S point)	Private
newClaimsTreeRoot	Claim Tree Root of the Prover after State Transtion is executed	Private
newAuthClaimMtp[IdOwnershipLevels];	Merkle Tree Proof of existance of the Prover's Auth Claim inside the Claims Tree after State Transtion is executed	Private
newRevTreeRoot	Revocation Tree Root of the Prover after State Transtion is executed	Private
newRootsTreeRoot	Roots Tree Root of the Prover after State Transtion is executed	Private

Scope

If oldState is genesis, verifies that userID is derived from the oldUserState (= genesis state). Performed using cutId(), cutState()and isEqual() templates
newUserState is different than zero using isZero() comparator
oldUserState and newUserState are different using isEqual()
Verifies user's identity ownership using idOwnershipBySignature(IdOwnershipLevels) template. The challenge signed by the user is H(oldstate, newstate) where H is a Poseidon hash function executed inside the Poseidon(nInputs) template
Verifies that the auth claim exists in the newClaimsTreeRoot using checkClaimExists(IdOwnershipLevels) template
Verifies that the new state (newUserState) matches the hash of the new claims tree root (newClaimsTreeRoot), revocation tree root (newRevTreeRoot) and roots tree root (newRootsTreeRoot) using checkIdenStateMatchesRoots()

authV2

Instantiation Parameters

IdOwnershipLevels Merkle tree depth levels for Identity Trees (claims Tree, revocation Tree and roots Tree)
onChainLevels Merkle tree depth of GIST stored on chain

Inputs

Input	Description	Public or Private
genesisID	genesis ID of the prover	Private
profileNonce	Random number, stored by the user	Private
state	Prover's Identity State	Private
claimsTreeRoot	Prover's Claims Tree Root	Private
revTreeRoot	Prover's Revocation Tree Root	Private
rootsTreeRoot	Prover's Roots Tree Root	Private
authClaim[8]	Prover's Auth Claim	Private
authClaimIncMtp[IdOwnershipLevels]	Merkle Tree Proof of Auth Claim inclusion inside Prover's Claims tree	Private
authClaimNonRevMtp[IdOwnershipLevels]	Merkle Tree Proof of non inclusion of Auth Claim Nonce inside Prover's Revocation Tree	Private
authClaimNonRevMtpNoAux	Flag that indicates whether to check the auxiliary Node	Private
authClaimNonRevMtpAuxHi	Auxiliary Node Index	Private
authClaimNonRevMtpAuxHv	Auxiliary Node Value	Private
challenge	Message to be signed by the Prover to prove control of an Identity	Public
challengeSignatureR8x	Signature of the challenge (Rx point)	Private
challengeSignatureR8y	Signature of the challenge (Ry point)	Private
challengeSignatureS	Signature of the challenge (S point)	Private
gistRoot	Root of the GIST stored on chain	Private
gistMtp[onChainLevels]	Merkle Tree Proof of Inclusion of the user state inside the global state	Private
gistMtpAuxHi	Auxiliary Node Index	Private
gistMtpAuxHv	Auxiliary Node Value	Private
gistMtpNoAux	Flag that indicates whether to check the auxiliary Node	Private

Output

Input	Description	Public or Private
userID	Identifier of the user, assigned to H(genesisID, nonce) if nonce != 0, assigned to genesisID if nonce = 0	Public

Scope

Prover is owner of an identity by signing a message using idOwnershipBySignature template
Checks that the user state is included in the GIST by using the SMTVerifier(onChainLevels)
Calculate the userID as H(genesisID, nonce) if nonce != 0, assigned to genesisID if nonce = 0 as output it. This is the public Identity Profile of the user

credentialAtomicQueryMTPV2

The circuit takes a query by a verifier and a claim owned by the prover and generate a proof that the claim satisfies the query. In particular, it checks that:

Checks that the prover is owner of an identity by idOwnershipBySignature template
Verifies that the identity is the subject of the claim
Verifier that the claim is included in the issuer's claim tree
Verifies that the claim schema matches the one in the query
Verifies that the claim is not revoked by the issuer and is not expired
Verifies that the query posed by the verifier is satisfied by the claim

credentialAtomicQueryMTPV2OnChain

This circuit should be used for smart contract verifiers. This circuits does all the checks that the the credentialAtomicQueryMTPV2 circuit does, plus the following:

Check that prover controls the identity the same way as the AuthV2 circuit checks it
Calculates hash of the query inputs, like claimSchema, slotIndex, operator, claimPathKey, claimPathNotExists and values as an output for all the query related inputs. This reduces the number of public inputs and much cheaper for Smart Contracts to verify the proof.

credentialAtomicQuerySigV2

This circuit checks that an issuer has issued a claim for identity and validates ownership of that identity in the following manner:

Checks that the prover is owner of an identity by idOwnershipBySignature template
Verifies that the identity is the subject of the claim
Verifier that the claim was signed by the issuer
Verifies that the claim schema matches the one in the query
Verifies that the claim is not revoked by the issuer and is not expired
Verifies that the query posed by the verifier is satisfied by the claim

credentialAtomicQuerySigV2OnChain

This circuit should be used for smart contract verifiers. This circuits does all the checks that the the credentialAtomicQuerySigV2 circuit does, plus the following:

Check that prover controls the identity the same way as the AuthV2 circuit checks it
Calculates hash of the query inputs, like claimSchema, slotIndex, operator, claimPathKey, claimPathNotExists and values as an output for all the query related inputs. This reduces the number of public inputs and much cheaper for Smart Contracts to verify the proof.