Support

## Defining ZK Circuit Inputs for a ZK-Mixer Deposit Proof This lesson focuses on a critical step in developing a Zero-Knowledge (ZK) mixer: identifying and categorizing the inputs required for the ZK-SNARK circuit. Our objective is to design a circuit capable of generating a proof of deposit. This proof, verifiable by a smart contract, will allow users to demonstrate they made a deposit without revealing their identity or the specifics of that deposit, thereby ensuring privacy. The core challenge is to determine what information the circuit needs to perform its computations and what parts of this information can be made public versus what must remain private to the prover. ### The Anatomy of a Privacy-Preserving Withdrawal Proof To enable a user to withdraw their Ether (ETH) from the ZK-mixer, they must generate a ZK proof. This proof, typically created off-chain using a framework like Noir, serves as evidence that they legitimately deposited funds. Specifically, the proof must convincingly establish two key facts: 1. **Knowledge of a Secret:** The user possesses a unique secret that corresponds to a commitment (a leaf node) present within the Merkle tree that records all deposits made to the mixer. 2. **Unique Nullifier Revelation:** The user is revealing a unique nullifier, also tied to their secret. This nullifier is used to prevent the same deposit from being withdrawn multiple times (double-spending). Let's break down how these requirements translate into concrete inputs for our ZK circuit. ### Calculating the Commitment: The Foundation of Privacy At the heart of the deposit is a **commitment**. This commitment is a cryptographic hash derived from two pieces of information supplied by the depositor: * A **secret**: A random, private value known only to the depositor. * A **nullifier**: Another random, private value, also chosen by the depositor. The formula is essentially: `commitment = hash(secret, nullifier)`. This calculated commitment is what gets inserted as a leaf into the mixer's Merkle tree of deposits. Since the `secret` and `nullifier` are the foundational pieces of private data the user needs to prove knowledge of, they become our initial **private inputs** to the circuit. ### Proving Merkle Tree Membership: Is the Deposit Real? The ZK proof must demonstrate that the commitment calculated from the user's private `secret` and `nullifier` actually exists within the deposit Merkle tree. This involves several components: 1. **Proposed Root (Public Input):** The verifier (the smart contract) maintains knowledge of the current or a recent Merkle root of the deposit tree. The ZK proof must show that the user's commitment is part of a Merkle tree that correctly hashes up to this known `proposed_root`. This `proposed_root` is therefore a **public input** to the circuit. 2. **Merkle Proof / Path (Private Input):** To reconstruct the path from the user's commitment (a leaf) up to the Merkle root, the circuit needs the sibling hashes at each level of the tree. This collection of sibling hashes is known as the `Merkle proof` or Merkle path. For instance, if a tree has 8 leaves (0-7) and the user's commitment is leaf 2, the proof would include: * Leaf 3 (sibling of leaf 2) * The hash of leaves 0 and 1 (sibling of `hash(leaf2, leaf3)`) * The hash of `hash(leaves 0,1)` and `hash(leaves 2,3)` combined with the hash of `hash(leaves 4,5)` and `hash(leaves 6,7)`. These sibling hashes are specific to the user's deposit and its position in the tree, so they constitute a **private input**. 3. **Path Indices / Directions (Private Input):** When reconstructing the Merkle root, the order of hashing matters. For any two nodes `A` and `B` being combined, the circuit needs to know whether to compute `hash(A, B)` or `hash(B, A)`. This is determined by the position (index) of the node derived from the user's path relative to its sibling from the Merkle proof. We provide this directional information as an array of booleans, typically indicating if the current node being processed (starting with the user's commitment, then the subsequent intermediate hashes) is a left child (e.g., has an even index relative to its sibling). For example: * If leaf 2 (even index) is combined with sibling leaf 3, the hash is `H(leaf2, leaf3)`. The boolean would indicate "even index." * If the resulting `H(leaf2, leaf3)` (say, at an odd index in the next level) is combined with its sibling `S_level1`, the hash is `H(S_level1, H(leaf2, leaf3))`. The boolean for this level would indicate "odd index." This sequence of booleans guiding the hashing order is also a **private input**. ### Nullifier Verification: Preventing Double Spending To ensure a deposit cannot be withdrawn multiple times, we use the `nullifier`. 1. **Nullifier (Private Input):** As established, the `nullifier` itself is a private value used in calculating the commitment. It remains a **private input** to the circuit. 2. **Nullifier Hash (Public Input):** When a user successfully withdraws funds, a hash of their `nullifier` (the `nullifier_hash`) is made public and recorded by the smart contract. The ZK circuit must prove that the private `nullifier` it used to compute the commitment (and which is part of the secret knowledge) correctly hashes to this publicly declared `nullifier_hash`. This `nullifier_hash` serves as a public "spent" marker and is a crucial **public input**. The smart contract will check its list of revealed `nullifier_hash` values to ensure this one hasn't been used before. ### Summarizing the Circuit Inputs Based on this derivation, we can now clearly define the inputs to our ZK-SNARK circuit: **Private Inputs (Known only to the Prover):** * **Secret:** The unique, private value chosen by the depositor, used to form the commitment. * **Nullifier:** The second unique, private value chosen by the depositor, used for the commitment and to prevent double-spending. * **Merkle Proof (Intermediate Nodes):** The set of sibling hashes from the Merkle tree required to reconstruct the path from the user's commitment to the Merkle root. * **Path Indices (Boolean Array):** An array of booleans indicating, for each level of Merkle proof reconstruction, whether the node on the user's path is the left child (has an even index) relative to its sibling in the proof. This dictates the order of hashing. **Public Inputs (Known to both Prover and Verifier):** * **Proposed Root:** The Merkle root of the deposit tree against which the user's commitment membership is being verified. The smart contract knows this value. * **Nullifier Hash:** The publicly revealed hash of the user's private nullifier. The circuit proves that the private nullifier it uses correctly hashes to this value. The smart contract uses this to mark the deposit as spent. This methodical identification of inputs is essential. By precisely defining what data is private and what is public, we lay the groundwork for constructing a secure and effective ZK circuit. The circuit will take these inputs and, if all conditions are met (commitment correctly calculated, commitment present in the tree under the proposed root, and nullifier correctly hashes to the public nullifier hash), it will output a valid proof without revealing any of the private inputs. With these inputs defined, the next logical step is to begin the actual implementation of the ZK circuit.

Circuit Inputs

A focused examination of Defining ZK Circuit Inputs for a ZK-Mixer Deposit Proof - Pinpoint the exact data, from prover-known secrets (secret, nullifier, Merkle path) to publicly verifiable anchors (root, nullifier hash), for your ZK-SNARK deposit proof circuit. This lesson clarifies their distinct roles in asserting deposit legitimacy, safeguarding anonymity, and enabling unique withdrawals in a ZK-mixer.

Course Overview

About the course

What you'll learn

Noir syntax

Create a witness, a proof, and Solidity verifier contracts

Use the Poseidon commitment scheme

Create ZK circuits and build a full ZK protocol

ZK Merkle trees and hashing in Noir

Verify signatures without revealing the signer

Build the backend for a full-stack ZK application with noir.js and bb.js

How to create proofs and verify them in a front-end

Course Description

Who is this course for?

Software engineers
Solutions Architects
ZK Engineers
ZK Smart Contract Developers
Web3 Developers

Meet your instructors

Ciara Nightingale

Developer relations at Cyfrin

Last updated on June 12, 2025

Thanks for checking us out

Start learning for free

Start for free

Zero Knowledge (ZK) Developer Noir Programming And ZK Circuits

Section 1: Welcome To Noir

Duration: 6min

Section 2: ZK Ecrecover

Duration: 1h 11min

Section 3: ZK Panagram App

Duration: 2h 12min

Section 4: ZK Mixer

Duration: 3h 19min

1. Introduction

A capstone immersion into Welcome to Our Final Chapter: Advanced Noir Privacy Protocols - Apply your accumulated Noir expertise to construct a sophisticated multi-component privacy mixer. This concluding lesson explores Merkle Trees and commitments, and analyzes Tornado Cash to lay the groundwork for your project. Duration: 2min

2. Disclaimer

A crucial clarification of Foundational Concepts: Disclaimer, Attribution, and Proof Terminology - This lesson details the educational-only intent and legal responsibilities, acknowledges Tornado Cash Core code origins with proper attribution, and clearly distinguishes "proof" (ZK proof) from "Merkle proof." These points provide essential context and accurate understanding for subsequent material. Duration: 2min

3. Tornado Cash

A cryptographic key to Unveiling Tornado Cash: Enhancing Privacy on Transparent Blockchains - Unlock the workings of Tornado Cash, a protocol for private transactions on public ledgers. Discover its operational flow from deposit to withdrawal, and the ZKPs, Merkle trees, and nullifiers that safeguard anonymity. Duration: 20min

4. Creating The Mixer Smart Contract

A foundational introduction to Initializing Your ZK Mixer Project with Foundry - Begin building your ZK Mixer by setting up the project environment with Foundry and creating the initial `Mixer.sol` smart contract. This lesson guides you through implementing the `deposit` function and outlines the design for the `withdraw` function, incorporating ZK proof verification and Merkle tree concepts. Duration: 12min

5. Incremental Merkle Trees

A crucial dive into Understanding Incremental Merkle Trees - Discover how IMTs tackle the challenge of efficient on-chain updates, outperforming standard Merkle trees for dynamic data. This lesson covers their fixed-depth structure, zero-value pre-population, and caching strategies for optimized blockchain interactions. Duration: 17min

6. Creating The IMT Contract

An in-depth look at On-Chain Incremental Merkle Tree Setup - Transition your ZK-Mixer from simple commitment mappings to a powerful Incremental Merkle Tree (IMT) for enhanced data management. Master the initial steps: creating `IncrementalMerkleTree.sol`, defining the `_insert` stub, and setting/validating tree depth with custom errors. Duration: 4min

7. Zero Subtrees

An essential guide to Pre-computing Zero Subtree Hashes for Incremental Merkle Trees - Master the off-chain calculation of zero subtree hashes (`zeros[i]`) using Poseidon, crucial for initializing gas-efficient Incremental Merkle Trees. Implement these pre-computed values directly into your Solidity `zeros` function to represent empty tree states. Duration: 9min

8. Inserting A Leaf

An in-depth guide to Implementing `_insert` for Efficient Incremental Merkle Tree Updates in Solidity - Delve into the core logic of the `_insert` function for adding new leaves sequentially to an Incremental Merkle Tree in Solidity. Unpack the process of iterative hashing, efficient caching of subtree hashes, and using zero hashes to correctly update the tree's root. Duration: 13min

9. Finishing Deposit

A constructive guide to Finalizing the Merkle Tree Insertion Logic - Master the completion of the Merkle tree's `_insert` function, covering new root storage and leaf index handling. See this logic integrated into the Mixer contract, enabling the `deposit` function and event emission for off-chain tree reconstruction. Duration: 5min

10. Nullifier Hash

A crucial look into Understanding Nullifier Hashes in ZK Mixer Withdrawals - Uncover why nullifier hashes are vital for private ZK Mixer withdrawals and robust double-spend prevention. Learn their ZK-friendly generation, on-chain verification steps, and how they secure anonymous transactions with ZK proofs. Duration: 6min

11. Circuit Inputs

12. Circuit Logic

A constructive walkthrough of Setting Up Your ZK-Mixer Circuit Environment - Build the foundation for your ZK-Mixer by initializing a new Noir project and defining the main circuit's function signature with public and private inputs. This lesson guides you through implementing essential privacy logic, including commitment generation, nullifier verification, Merkle proof validation, and front-running prevention. Duration: 15min

13. Generate Verifier

A foundational breakdown of Generating a Solidity Verifier for Your ZK Circuit with Nargo and Barretenberg - Step through compiling Noir circuits with Nargo and using Barretenberg to produce both verification keys and the crucial `Verifier.sol` contract. This lesson paves the way for deploying smart contracts that verify zero-knowledge proofs directly on the blockchain. Duration: 2min

14. Finish Withdraw

An essential guide to Finalizing the ZK-Mixer Withdraw Function - Learn to implement critical ZK-Mixer withdrawal steps in Solidity: verifying proofs, using low-level calls for fund transfers, and emitting events. This lesson details crafting public inputs for the Verifier contract and implementing robust custom error handling. Duration: 3min

15. Historical Roots

An essential deep-dive into Mitigating Stale Proofs in ZK-Mixers with Historical Merkle Roots - Understand why 'stale Merkle roots' cause issues in ZK-mixers and how implementing a historical root buffer offers a robust fix. This lesson walks through modifying contracts like `IncrementalMerkleTree.sol` and `Mixer.sol` to improve transaction reliability and user experience. Duration: 9min

16. Mid Way Summary

An essential deep dive into zk-Mixer Withdrawals: Solidity Logic and Noir Circuitry - Uncover the step-by-step execution of the `withdraw` function in `Mixer.sol`, from initial Merkle root checks to final fund disbursal and event emission. This lesson further deciphers the companion ZK-SNARK circuit in Noir, vital for preparing a comprehensive testing strategy. Duration: 5min

17. Building The Project

A practical troubleshooting guide to Compiling Your Solidity Project with `forge build` - Learn to compile your Solidity smart contracts using `forge build` and effectively diagnose common issues encountered during the process. This lesson provides step-by-step fixes for errors, from syntax to type conversions, enhancing your Solidity debugging skills. Duration: 1min

18. Setting Up The Tests

An essential primer on Setting Up Foundry Tests for a zk-SNARK Mixer Contract - Get started by creating your test file, importing key contracts such as the Mixer and Verifier, and initializing state variables. This lesson also covers utilizing Foundry's `setUp` function and its Foreign Function Interface (FFI) for generating zk-SNARK commitments. Duration: 5min

19. Generate The Commitment

An illuminating guide to Bridging Off-Chain Logic with On-Chain Tests: An Overview of Foundry FFI - Discover how to enhance Solidity testing by integrating off-chain TypeScript computations using Foundry's Foreign Function Interface (FFI). This lesson walks through creating a TypeScript commitment generator and calling it from your smart contract tests for robust validation. Duration: 11min

20. Testing Making A Deposit

A crucial first step into Crafting Your First ZK-Mixer Test: Verifying Deposits - Discover how to write the initial Foundry test for a ZK-Mixer's `deposit` function, covering Ether transactions in tests and event verification with `vm.expectEmit`. This lesson also prepares the groundwork for withdrawal testing by modifying data handling in helper functions and associated scripts. Duration: 7min

21. Creating The Proof Helper Function

A detailed introduction to Generating Zero-Knowledge Proofs Off-Chain: The `_getProof` Solidity Helper - Discover how to construct the `_getProof` Solidity function, leveraging Foundry's FFI to call external scripts for efficient off-chain ZK proof generation. This lesson explains the preparation of inputs like Merkle tree leaves and private user data, and the process of invoking the external script. Duration: 5min

22. Generate Proof Script

An essential walkthrough of Crafting a `generateProof.ts` Script for Your ZK-Mixer - Learn to develop a TypeScript script for generating ZK proofs in a ZK-Mixer, from Noir circuit interaction to CLI input handling. This lesson covers key cryptographic operations with Barretenberg, Merkle tree data preparation, and ABI-encoding proofs for Ethereum. Duration: 21min

23. Finish Withdraw Test

A capstone guide to Implementing and Testing Private Withdrawals in a zk-SNARK Mixer with Foundry - Master the final steps of developing and validating private withdrawals in a zk-SNARK mixer with Foundry, focusing on incorporating public inputs for proof generation. This lesson details Solidity and JavaScript modifications for a secure, private transaction flow. Duration: 5min

24. Reentrancy

A critical deep dive into Securing Mixer.sol: Understanding Reentrancy and Implementing Guards - Explore the reentrancy vulnerability in the `Mixer.sol` contract's `withdraw` function and the preventative Checks-Effects-Interactions pattern. This lesson guides you through integrating OpenZeppelin's `ReentrancyGuard` for robust contract protection. Duration: 4min

25. Unused Circuit Inputs

A crucial investigation into Optimizing ZK-Proofs: Do Unused Public Inputs Need Dummy Calculations in Noir? - Uncover whether Noir requires the 'dummy calculation' pattern common in Circom for public input security, through a ZK-Mixer case study. This lesson demonstrates that Noir's `pub` keyword inherently secures these inputs, streamlining circuit design and potentially reducing costs. Duration: 5min

26. NATSPEC

A vital guide to Mastering Smart Contract Documentation: A Guide to NatSpec for ZK-Mixer Projects - Master writing comprehensive NatSpec comments for Solidity smart contracts, focusing on ZK-Mixer project applications. This lesson covers essential tags and best practices to ensure your code is clear, maintainable, and provides crucial ZK context. Duration: 4min

27. Summary

An insightful walkthrough of Understanding and Building a ZK Mixer Protocol for Enhanced On-Chain Privacy - Discover how to build a ZK mixer protocol leveraging commitment schemes, Merkle trees, and zero-knowledge proofs to significantly enhance on-chain privacy. This lesson covers the core cryptographic mechanisms, smart contract development in Solidity, and off-chain scripting for proof generation using Noir. Duration: 4min