Secret Value and Pre-Calculating Hash in gnark's "Hash of Secret" Example

[artyapple]

I have been exploring the documentation and experimenting with examples on https://play.gnark.io/. However, I am currently facing some confusion with the "Hash of Secret" example.

It seems like I am only able to provide bigInt values as the "Secret". Is it correct that I cannot use other types of inputs, such as SHA-256 strings or any other formats?

I am also uncertain about how I am supposed to calculate "Hash" beforehand in order to assign it to the witness.

[ivokub]

SNARK circuits in general are defined over a finite field, meaning that all operations are done modulo some prime number (or a power of prime number). In gnark case, as we currently by default support only pairing based backends (Groth16 and PLONK), then these finite fields are defined by the elliptic curves which we support. See the list of the elliptic curves here and the implementations here (see the fr/ subpackages which stand for scalar field).

This also means, that by default the witness what can be provided also needs to be a finite field element. gnark tries to cast inputs to the field as much as possible (i.e. uint64 fits into the field -> cast to field element; string representation of an integer -> cast to field element), but it is not always foolproof, particularly when we cast *big.Int then it is mod-reduced.

The example what we have at playground uses something called algebraic hash functions - these are hash functions which operate natively on field elements instead of byte arrays. So it is natural to define the inputs and output for such hash functions as field elements. See https://pkg.go.dev/github.com/consensys/gnark@v0.12.0/std/hash/mimc of the exact interfaces. gnark also supports non-algebraic hash functions (i.e. the conventional ones a la sha2 and sha3), see for example here. But that is very wasteful in the circuit definition point of view as we represent every byte as a field element (byte is 8 bits, but the full field element is ~256 bits), meaning that a single word sha3 hash requires about 50k constraints (on top of my head, don't remember exact numbers), compared to MiMC which requires less than 1000.

And for the second question - yes, SNARK circuits essentially check correctness of a statement, so the input needs to be provided. In the context of hash preimage check, you need to provide the preimage.

I also recommend looking at some of the examples and the test files in general.