Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/noir-lang/noir/llms.txt

Use this file to discover all available pages before exploring further.

A zero-knowledge proof (ZKP) lets one party (the prover) convince another party (the verifier) that a statement is true, without revealing any information beyond the truth of the statement itself. The classic example: Alice wants to prove she knows the solution to a puzzle without showing Bob the solution. A ZKP lets her generate a short piece of evidence — the proof — that convinces Bob she knows it, while Bob learns nothing about what the solution actually is.

The prover and verifier

Every ZK system involves two roles:
RoleResponsibility
ProverHas access to private inputs (the “secret”). Runs the computation and generates a proof.
VerifierHas access to public inputs only. Checks the proof is valid — fast, regardless of how complex the original computation was.
The proof is small and fast to verify even when the original computation is large. This is what makes ZKPs useful for blockchains, where computation is expensive.

Private and public inputs

Noir programs distinguish between two kinds of inputs:
  • Private inputs — known only to the prover. They appear in the proof but are cryptographically hidden from the verifier.
  • Public inputs — known to both prover and verifier. They appear as plain values alongside the proof.
fn main(x: Field, y: pub Field) {
    assert(x != y);
}
In this example, x is private and y is public. The proof demonstrates that the prover knows some x that differs from the publicly visible y, without revealing what x is.

SNARKs

ZK proof systems used in practice are almost always SNARKs: Succinct Non-interactive ARguments of Knowledge. Each word matters:
  • Succinct — the proof is short (a few hundred bytes) and fast to verify, regardless of the size of the computation.
  • Non-interactive — the prover sends a single message. There is no back-and-forth challenge protocol.
  • Argument of Knowledge — soundness holds under cryptographic assumptions. A prover who doesn’t actually know the witness cannot forge a valid proof (except with negligible probability).
Noir targets PLONKish SNARK backends by default, with Barretenberg (UltraPlonk / Honk) as the primary backend.

How Noir programs become circuits

Zero-knowledge proofs operate over arithmetic circuits — networks of addition and multiplication gates over a finite field. Proving a computation means proving that a particular assignment of values to wires satisfies all the gates. Writing circuits by hand is error-prone and difficult. Noir handles this automatically:
1

Write Noir source

You write ordinary-looking Rust-inspired code. Noir’s type system and syntax abstract away the underlying mathematics.
2

Compile to ACIR

The Noir compiler lowers your program to ACIR (Abstract Circuit Intermediate Representation), a backend-agnostic format consisting of arithmetic constraints and black-box function calls.
3

Backend generates a circuit

The proving backend (e.g., Barretenberg) translates ACIR into its native constraint system (UltraPlonk gates, lookup tables, etc.).
4

Witness generation

Given the private and public inputs, the prover evaluates the circuit to assign a concrete value to every wire. This assignment is the witness.
5

Proof generation

The backend uses the witness to produce a SNARK proof: a compact cryptographic commitment to the witness that can be verified without seeing the witness itself.
6

Verification

The verifier checks the proof against the public inputs and the verification key. No private data is required or revealed.

Circuit efficiency

Unlike conventional programs, the cost of a ZK circuit is proportional to its gate count, not its execution time. A loop that runs 1000 iterations generates 1000 times the gates of a single iteration. This changes how you think about optimization. Key principles for writing efficient Noir circuits:
  • Prefer arithmetic operations (+, *) over bitwise operations (<<, |), which require many more gates.
  • Prefer the Field type over fixed-width integers where possible — integer range checks add gates.
  • Move expensive computation into unconstrained functions and verify the result cheaply inside the circuit.
  • Keep loop bodies and conditional branches as simple as possible.
See Unconstrained functions for the technique of running expensive computation outside the constraint system.

Common use cases

Prove you know a password, private key, or secret — without revealing it. A ZKP lets a server verify the claim without storing the secret or learning it during authentication.
Prove you are an eligible voter and have not yet voted, without linking your identity to your choice. The vote is cast anonymously while eligibility is publicly verified.
Prove membership in a set (e.g., KYC-verified users, NFT holders, DAO members) without revealing which member you are or any identifying attributes.
Prove that a transaction is valid — inputs equal outputs, all values are positive, the sender has sufficient balance — without revealing the amounts or addresses involved.
Noir powers smart contracts on the Aztec network, where private state and private function execution are enforced by ZK proofs generated from Noir programs.
Verify the proof of a Noir program inside another Noir program. This enables batching many proofs into one, reducing the cost of on-chain verification. See the recursion standard library.

Build docs developers (and LLMs) love

Get started for freeTalk to us