In zero-knowledge proof (ZKP) systems, public input is the set of known, verifiable data points that are shared between the prover and the verifier. It represents the common, non-secret context for a computation, such as a public blockchain state, a known transaction hash, or a declared rule. The prover uses this data, along with private inputs, to generate a proof, while the verifier uses the same public inputs to check the proof's validity. This separation is critical: the prover demonstrates knowledge of secret information (private inputs) that correctly interacts with the agreed-upon public facts.
LABS
Glossary
Public Input
In a zero-knowledge proof, a public input is data explicitly known to both the prover and verifier, forming the non-secret part of the statement being proven.
Chainscore © 2026
definition
BLOCKCHAIN GLOSSARY
What is Public Input?
A foundational concept in zero-knowledge proof systems like zk-SNARKs and zk-STARKs, defining the verifiable, non-secret data of a computation.
The role of public input is to anchor the proof to a specific, auditable claim. For example, in a zk-rollup on Ethereum, the public input might include the new Merkle root of the rollup state and the previous root. The prover generates a proof showing that, given the old state (public input) and a batch of private transactions (private input), the new state (also public input) was computed correctly. The verifier only needs the proof and these public inputs to be convinced, without seeing the private transaction details. This mechanism enables scalable and private verification of state transitions.
Technically, public inputs are explicitly encoded into the arithmetic circuit or computational constraint system that underlies the ZKP. They become part of the proof's verification key and are hashed into the final proof statement. Common implementations include the public_inputs array in Circom circuits or the public parameters in libsnark. Distinguishing public from private inputs is a primary design task when constructing ZK applications, as it defines the boundary between what must remain secret and what serves as the proof's public certificate of correctness.
key-features
PUBLIC INPUT
Key Features
Public Input is a core blockchain primitive that allows any user to submit data to a smart contract or protocol, enabling decentralized coordination and data feeds.
01
Decentralized Data Feeds
Public Input functions as a foundational layer for oracles and data aggregators. It allows independent parties to submit verifiable data (e.g., price feeds, weather data, event outcomes) to a smart contract, which then aggregates these submissions to reach a consensus value. This mechanism is critical for DeFi applications that require reliable external information.
02
Permissionless Participation
A defining characteristic is its permissionless nature. There are no gatekeepers; any participant with the requisite knowledge and resources can submit data. This openness fosters censorship resistance and ensures the network's security relies on economic incentives and cryptographic verification rather than trusted intermediaries.
03
Incentive & Slashing Mechanisms
To ensure data quality and honesty, Public Input systems employ sophisticated cryptoeconomic incentives. Submitters typically must stake collateral (bond). Correct submissions are rewarded, while provably false or malicious data can result in the loss of this stake through slashing. This aligns participant incentives with network truthfulness.
04
Consensus & Aggregation
The protocol must have a method to resolve multiple, potentially conflicting inputs into a single canonical value. Common techniques include:
- Medianization: Taking the median of all submitted values to mitigate outliers.
- Commit-Reveal Schemes: Hiding initial submissions to prevent copying.
- Stake-Weighted Averages: Weighting submissions by the amount of collateral staked.
05
Use Case: Price Oracles
The most prevalent application is in decentralized price oracles like Chainlink and Pyth Network. Thousands of independent node operators publicly input price data for assets. The protocol aggregates these feeds to provide tamper-resistant price data to lending protocols (like Aave), derivatives platforms, and automated market makers.
06
Use Case: Prediction Markets
Platforms like Augur and Polymarket rely on Public Input for resolution. After a real-world event concludes, users report the outcome. The system uses these public inputs, often combined with dispute rounds and stake-based voting, to determine the final result and settle bets autonomously and trustlessly.
how-it-works
ZERO-KNOWLEDGE PROOF MECHANICS
How Public Input Works in a ZKP
An explanation of the role and function of public inputs in zero-knowledge proof systems, detailing how they enable verification without revealing private data.
In a zero-knowledge proof (ZKP), a public input is a piece of data that is explicitly revealed to and agreed upon by both the prover and the verifier. This shared, non-secret information forms the common ground for the proof statement, allowing the verifier to check the proof's validity against known parameters. For instance, in a proof demonstrating knowledge of a private key for a specific public address, the public address itself is the public input. The system's security relies on the prover's ability to convince the verifier of a claim related to these public inputs, while keeping the witness (the secret data) completely hidden.
The technical implementation involves embedding public inputs into the arithmetic circuit or constraint system that models the computational statement. During proof generation, the prover uses both the private witness and the public inputs to compute the proof. The verifier, who possesses only the public inputs and the final proof, runs a verification algorithm. This algorithm uses the same public inputs to check if the proof is consistent with the claimed statement. Crucially, the verification outcome is a binary true or false; a valid proof confirms the statement's truth relative to the provided public inputs without leaking any information about how it was derived.
Public inputs are essential for creating useful and flexible proofs. They enable scenarios like proving a transaction's inclusion in a specific block (where the block hash is public), verifying a user's membership in a published merkle tree root, or demonstrating that a secret number lies within a publicly declared range. In zk-SNARKs, public inputs are often hashed into the verification key, making them a fixed part of the verification logic. In contrast, some zk-STARK constructions or recursive proofs can handle public inputs more dynamically. Misalignment of a single public input value between prover and verifier will cause proof verification to fail, ensuring the integrity of the proven statement's context.
ZK-SNARKs & ZK-STARKs
Public Input vs. Private Input (Witness)
A comparison of the two fundamental types of data processed by a zero-knowledge proof system, defining what is revealed to the verifier and what remains confidential.
| Feature | Public Input | Private Input (Witness) |
|---|---|---|
Definition | Data that is known to both the prover and verifier, and is part of the proof statement. | Data known only to the prover, used to generate the proof but not revealed. |
Verifier Knowledge | ||
Included in Proof | ||
Role in Verification | Used by the verifier to check the proof's validity against the public statement. | Used by the prover to generate the proof; its correctness is implied by the proof's validity. |
Example (Token Transfer) | "Alice's balance decreased by 5, Bob's balance increased by 5" | "Alice's secret spending key, the transaction nonce" |
Cryptographic Binding | Explicitly hashed into the proof and verification key. | Implicitly constrained by the circuit's arithmetic constraints. |
Data Sensitivity | Low (intended for public disclosure) | High (must remain secret) |
Storage Location | On-chain (for smart contract verification) | Off-chain (prover's local environment) |
examples
GLOSSARY
Examples of Public Inputs
A public input is data provided by a prover to a verifier that is explicitly revealed as part of a zero-knowledge proof. These are the non-secret, verifiable parameters of a computation. Below are common examples across different blockchain protocols.
01
Transaction Root (zk-Rollups)
In a zk-Rollup, the public input is often the new state root or transaction batch root that results from executing a batch of transactions. The zk-SNARK or zk-STARK proof demonstrates that, given the old state root and the batch data, the new root was computed correctly. This allows the L1 smart contract to trust and accept the new state without re-executing all transactions.
- Example: In zkSync Era, the
blockHash(a commitment to all transactions) is a public input to the proof verified on Ethereum.
02
Nullifier Hash (Private Payments)
In privacy protocols like Zcash or Tornado Cash, a nullifier is a public input that prevents double-spending of shielded notes. When a user withdraws funds, they generate a zero-knowledge proof and publish a unique nullifier hash. This hash acts as a public, non-revealing identifier for the spent note.
- Mechanism: The verifier contract checks this nullifier against a public list. If it exists, the spend is rejected. The proof cryptographically links the nullifier to the secret spend key without revealing the note's origin.
03
Function Output (Verifiable Computation)
When using a zk-SNARK for general verifiable computation, the intended output of the function is a critical public input. The prover demonstrates they know a secret input that, when run through the agreed-upon circuit, produces this exact public output.
- Use Case: A decentralized oracle could prove it correctly computed a price feed (
output = $50,250) from signed source data, without revealing the proprietary aggregation logic. The verifier only checks the proof against the claimed output price.
04
Block Header Data (Light Clients)
zk-proofs can enable trust-minimized light clients. Here, relevant block header fields (like the hash of the previous block) are public inputs. The proof attests that a specific transaction is included in a Merkle tree rooted in a valid block header, which itself follows consensus rules.
- Example: A zkBridge proof might take a block header from another chain as a public input, proving its validity according to that chain's rules, enabling secure cross-chain messaging.
05
Election Result (zk-Voting)
In zk-voting systems, the final, tallied election result is the public input. Voters submit zero-knowledge proofs showing they voted for a valid candidate without revealing their individual choice. The tallying authority aggregates these proofs and publishes the final counts.
- Verification: Anyone can verify the proof of correct tally against the announced results (public inputs), ensuring the count is accurate without compromising voter privacy.
06
Program / Circuit Identifier
The hash or identifier of the specific zk-SNARK circuit or verification key is often an implicit public input. It ensures the proof is being verified against the correct computational constraint system.
- Importance: This prevents a prover from using a proof generated for a different, potentially malicious, program. The verifier contract will only accept proofs that declare the exact, pre-approved circuit ID.
technical-details
TECHNICAL IMPLEMENTATION
Public Input
A core data structure in zero-knowledge (ZK) proof systems that allows a prover to incorporate external, non-deterministic data into a computational proof.
In the context of zk-SNARKs and zk-STARKs, a public input is a piece of data that is known to both the prover and the verifier. It is explicitly declared as an input to the arithmetic circuit or computational statement being proven, but unlike a private input (or witness), it is not kept secret. The prover uses this data to generate a proof, and the verifier must supply the same value to successfully verify the proof's validity. This mechanism binds the proof to specific, agreed-upon parameters.
The primary function of public inputs is to enable the verification of statements about public state. For example, in a blockchain ZK-rollup, the public input might be the new Merkle root of the state after a batch of transactions. The prover demonstrates they have correctly processed the transactions (using private witness data) to arrive at this specific root. The verifier, knowing the intended new root, can confirm the proof is valid for that exact state transition, ensuring consistency with the public ledger.
Technically, public inputs are often handled as a distinct component of the Rank-1 Constraint System (R1CS) or similar circuit representation. They are hashed or otherwise committed to as part of the proving key setup. A critical security property is that a proof is only valid for the exact public inputs used during verification; changing even one bit will cause verification to fail. This makes public inputs essential for applications like token transfers (where the recipient address is public) or voting (where the proposal ID is public).
Common implementations include the use of public inputs to represent nullifiers in anonymous systems like Zcash, where a spent note's nullifier is published on-chain as a public input to prevent double-spending, while the note's details remain private. In zkEVM circuits, public inputs routinely include block hashes, transaction hashes, and storage roots, anchoring the proof's correctness to the canonical chain history visible to all network participants.
ecosystem-usage
PUBLIC INPUT
Ecosystem Usage
Public Input is a core feature of the Optimism Superchain, allowing smart contracts to read data from the parent L1 (Ethereum) in a permissionless and trust-minimized way. This section details its key applications and real-world implementations.
security-considerations
PUBLIC INPUT
Security & Design Considerations
Public Input is a critical security primitive in zero-knowledge proof systems, allowing a prover to incorporate external, verifiable data into a proof without revealing it.
01
Core Definition & Purpose
Public Input is data that is known and agreed upon by both the prover and verifier before a zero-knowledge proof is generated. It is used to constrain the proof to a specific context, ensuring the computation is valid for a given set of public parameters. For example, in a token transfer proof, the public input could be the recipient's public address, guaranteeing the proof is only valid for that specific transfer destination.
02
Contrast with Private Input
This concept is defined in opposition to Private Input (or witness).
- Public Input: Visible to all, used for verification. (e.g., a public commitment hash, a nullifier).
- Private Input: Kept secret by the prover. (e.g., the secret key, the actual amount). The proof demonstrates a valid relationship between the hidden private inputs and the declared public inputs without revealing the secrets.
03
Security Role: Preventing Replay Attacks
A primary security function of public inputs is to act as a nonce or unique identifier, binding a proof to a single use case. In zk-rollups, the public input may include a global state root. This ensures a withdrawal proof is only valid for the exact state it references, preventing the same proof from being replayed after the state has changed.
04
Design Consideration: Data Availability
Since verifiers need public inputs to check a proof, this data must be available on-chain or in a verifiable data commitment. The design must ensure the mechanism for posting and referencing public inputs (e.g., in a calldata field or an event log) is itself secure and resistant to censorship, as missing public inputs render proofs unverifiable.
05
Example: zk-SNARKs in Zcash
In Zcash's zk-SNARKs (Sprout, Sapling), public inputs are critical components of the proof verification:
- cm (Commitment): A public note commitment placed on-chain.
- rt (Root): The Merkle root of the commitment tree, representing the state.
- nf (Nullifier): A unique identifier to prevent double-spending. The verifier's circuit checks that the proof is valid given these specific public values, linking the secret transaction to the public ledger state.
PUBLIC INPUT
Common Misconceptions
Public Input is a core concept in blockchain scaling and zero-knowledge proof systems, often misunderstood in its scope and purpose. This section clarifies frequent points of confusion.
In a zk-SNARK, Public Input is data that is explicitly revealed and verified as part of the proof, making it known to both the prover and verifier. It is distinct from the private witness, which remains hidden. The public input is cryptographically bound to the proof statement, ensuring the computation's integrity over the known data. For example, in a token transfer proof, the sender's public address, recipient's address, and the token amount would typically be public inputs, while the sender's private key remains a private witness. This separation allows for public verification of specific claims without revealing the underlying secrets.
PUBLIC INPUT
Frequently Asked Questions
Public Input is a core concept in zero-knowledge proof systems, particularly zk-SNARKs, that allows for the verification of private computations against public parameters. These questions address its function, importance, and implementation.
In a zk-SNARK, Public Input is the set of data that is known to both the prover and the verifier, serving as the common, verifiable context for a private computation. It is distinct from the Private Input (or witness), which remains hidden. The prover generates a proof demonstrating they know a valid private witness that, when combined with the agreed-upon public inputs, satisfies the constraints of the program (the circuit). The verifier then checks this proof against the same public inputs. For example, in a private transaction, the public input might be the new, cryptographically-committed state root of a blockchain, while the private inputs are the sender, receiver, and amount.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall