Automated Detection of Under-Constrained Circuits in Zero-Knowledge Proofs

Abstract: As zero-knowledge proofs gain increasing adoption, the cryptography community has designed domain-specific languages (DSLs) that facilitate the construction of zero-knowledge proofs (ZKPs). Many of these DSLs, such as Circom, facilitate the construction of arithmetic circuits, which are essentially polynomial equations over a finite field. In particular, given a program in a zero-knowledge proof DSL, the compiler automatically produces the corresponding arithmetic circuit. However, a common and serious problem… Show more

“…The QED 2 tool [36] is a specialized verifier that combines a dedicated algorithm with an SMT solver to automatically establish whether the outputs of a zero-knowledge circuit are uniquely determined by the inputs, or are instead under-constrained; it may also fail to find an answer. Their approach is automated, but our work addresses a stronger property (correctness); the unique determination of outputs from inputs is implied by soundness, when the specification of a gadget is that the gadget represents a computation (see Section 3).…”

“…The SMT solver for finite fields described in [34] has been used to verify automatically whether circuits produced by certain compilers are sound (with respect to the compilation source) and deterministic (i.e. the outputs are uniquely determined by the inputs, as in [36]). Since our circuit specifications prescribe computations, in a way that may be similar to the sources of circuit compilers, their soundness proofs are analogous to ours (with determinism implied by soundness, at least in our case, as noted above); but their work does not cover completeness proofs.…”

“…Since our circuit specifications prescribe computations, in a way that may be similar to the sources of circuit compilers, their soundness proofs are analogous to ours (with determinism implied by soundness, at least in our case, as noted above); but their work does not cover completeness proofs. Their approach works on individual circuits, not on parameterized circuit families (as also noted above for [36]). For example, in our work, an unsigned n-bit integer addition circuit family as in Figure 3 is verified once, quickly, for every possible n (see Section 5.5), and can be used to verify correct compilation via a syntactic check; in contrast, in their…”

Formal Verification of Zero-Knowledge Circuits

“…The QED 2 tool [36] is a specialized verifier that combines a dedicated algorithm with an SMT solver to automatically establish whether the outputs of a zero-knowledge circuit are uniquely determined by the inputs, or are instead under-constrained; it may also fail to find an answer. Their approach is automated, but our work addresses a stronger property (correctness); the unique determination of outputs from inputs is implied by soundness, when the specification of a gadget is that the gadget represents a computation (see Section 3).…”

“…The SMT solver for finite fields described in [34] has been used to verify automatically whether circuits produced by certain compilers are sound (with respect to the compilation source) and deterministic (i.e. the outputs are uniquely determined by the inputs, as in [36]). Since our circuit specifications prescribe computations, in a way that may be similar to the sources of circuit compilers, their soundness proofs are analogous to ours (with determinism implied by soundness, at least in our case, as noted above); but their work does not cover completeness proofs.…”

“…Since our circuit specifications prescribe computations, in a way that may be similar to the sources of circuit compilers, their soundness proofs are analogous to ours (with determinism implied by soundness, at least in our case, as noted above); but their work does not cover completeness proofs. Their approach works on individual circuits, not on parameterized circuit families (as also noted above for [36]). For example, in our work, an unsigned n-bit integer addition circuit family as in Figure 3 is verified once, quickly, for every possible n (see Section 5.5), and can be used to verify correct compilation via a syntactic check; in contrast, in their…”

Formal Verification of Zero-Knowledge Circuits

Split Gröbner Bases for Satisfiability Modulo Finite Fields

Specular: Towards Secure, Trust-minimized Optimistic Blockchain Execution