research-article

Open access

Automated Detection of Under-Constrained Circuits in Zero-Knowledge Proofs

Authors:

Shankara Pailoor,

Clara Rodríguez,

Jacob Van Geffen,

Işıl DilligAuthors Info & Claims

Proceedings of the ACM on Programming Languages, Volume 7, Issue PLDI

Article No.: 168, Pages 1510 - 1532

https://doi.org/10.1145/3591282

Published: 06 June 2023 Publication History

Abstract

As zero-knowledge proofs gain increasing adoption, the cryptography community has designed domain-specific languages (DSLs) that facilitate the construction of zero-knowledge proofs (ZKPs). Many of these DSLs, such as Circom, facilitate the construction of arithmetic circuits, which are essentially polynomial equations over a finite field. In particular, given a program in a zero-knowledge proof DSL, the compiler automatically produces the corresponding arithmetic circuit. However, a common and serious problem is that the generated circuit may be underconstrained, either due to a bug in the program or a bug in the compiler itself. Underconstrained circuits admit multiple witnesses for a given input, so a malicious party can generate bogus witnesses, thereby causing the verifier to accept a proof that it should not. Because of the increasing prevalence of such arithmetic circuits in blockchain applications, several million dollars worth of cryptocurrency have been stolen due to underconstrained arithmetic circuits.

Motivated by this problem, we propose a new technique for finding ZKP bugs caused by underconstrained polynomial equations over finite fields. Our method performs semantic reasoning over the finite field equations generated by the compiler to prove whether or not each signal is uniquely determined by the input. Our proposed approach combines SMT solving with lightweight uniqueness inference to effectively reason about underconstrained circuits. We have implemented our proposed approach in a tool called QED² and evaluate it on 163 Circom circuits. Our evaluation shows that QED² can successfully solve 70% of these benchmarks, meaning that it either verifies the uniqueness of the output signals or finds a pair of witnesses that demonstrate non-uniqueness of the circuit. Furthermore, QED² has found 8 previously unknown vulnerabilities in widely-used circuits.

References

[1]

2019. Tornado.cash got hacked. by Us. https://tornado-cash.medium.com/tornado-cash-got-hacked-by-us-b1e012a3c9a8

[2]

Aleo. 2022. Leo code translates to invalid Aleo instruction code. https://github.com/AleoHQ/leo/issues/2042

[3]

José Almeida, Endre Bangerter, Manuel Barbosa, Stephan Krenn, Ahmad-Reza Sadeghi, and Thomas Schneider. 2010. A Certifying Compiler for Zero-Knowledge Proofs of Knowledge Based on Sigma-Protocols. 6345, 151–167. https://doi.org/10.1007/978-3-642-15497-3_10

[4]

Aztec. 2022. Disclosure of recent vulnerabilities. https://hackmd.io/@aztec-network/disclosure-of-recent-vulnerabilities

[5]

aztec. 2022. Disclosure of recent vulnerabilities. https://hackmd.io/@aztec-network/disclosure-of-recent-vulnerabilities

[6]

Haniel Barbosa, Clark Barrett, Martin Brain, Gereon Kremer, Hanna Lachnitt, Makai Mann, Abdalrhman Mohamed, Mudathir Mohamed, Aina Niemetz, Andres Nötzli, Alex Ozdemir, Mathias Preiner, Andrew Reynolds, Ying Sheng, Cesare Tinelli, and Yoni Zohar. 2022. cvc5: A Versatile and Industrial-Strength SMT Solver. In Tools and Algorithms for the Construction and Analysis of Systems, Dana Fisman and Grigore Rosu (Eds.). Springer International Publishing, Cham. 415–442. isbn:978-3-030-99524-9

[7]

Gilles Barthe, François Dupressoir, Benjamin Grégoire, César Kunz, Benedikt Schmidt, and Pierre-Yves Strub. 2013. EasyCrypt: A Tutorial. In FOSAD.

[8]

Jordi Baylina. 2021. Circomlib/babyjub.circom at CFF5AB6288B55EF23602221694A6A38A0239DCC0 · Iden3/circomlib. https://github.com/iden3/circomlib/blob/cff5ab6288b55ef23602221694a6a38a0239dcc0/circuits/babyjub.circom##L45

[9]

Marta Bellés-Muñoz, Jordi Baylina, Vanesa Daza, and José L. Muñoz-Tapia. 2022. New Privacy Practices for Blockchain Software. IEEE Software, 39, 3 (2022), 43–49. https://doi.org/10.1109/MS.2021.3086718

[10]

Eli Ben Sasson, Alessandro Chiesa, Christina Garman, Matthew Green, Ian Miers, Eran Tromer, and Madars Virza. 2014. Zerocash: Decentralized Anonymous Payments from Bitcoin. In 2014 IEEE Symposium on Security and Privacy. 459–474. https://doi.org/10.1109/SP.2014.36

Digital Library

[11]

Eli Ben-Sasson, Alessandro Chiesa, Eran Tromer, and Madars Virza. 2014. Succinct Non-Interactive Zero Knowledge for a von Neumann Architecture. In 23rd USENIX Security Symposium (USENIX Security 14). USENIX Association, San Diego, CA. 781–796. isbn:978-1-931971-15-7 https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/ben-sasson

[12]

Daniel J. Bernstein and Tanja Lange. 2007. Faster addition and doubling on elliptic curves. Cryptology ePrint Archive, Paper 2007/286. https://eprint.iacr.org/2007/286

[13]

Maurizio Binello. 2019. R1CS. https://www.zeroknowledgeblog.com/index.php/the-pinocchio-protocol/r1cs

[14]

Dan Boneh, Ben Lynn, and Hovav Shacham. 2004. Short Signatures from the Weil Pairing. J. Cryptol., 17, 4 (2004), sep, 297–319. issn:0933-2790 https://doi.org/10.1007/s00145-004-0314-9

Digital Library

[15]

Maher Boudabra and Abderrahmane Nitaj. 2019. A New Public Key Cryptosystem Based on Edwards Curves. Journal of Applied Mathematics and Computing, 61 (2019), 04, 1–20. https://doi.org/10.1007/s12190-019-01257-y

[16]

Sean Bowe, Jack Grigg, and Daira Hopwood. 2019. Halo: Recursive Proof Composition without a Trusted Setup. IACR Cryptol. ePrint Arch., 2019 (2019), 1021.

[17]

Vitalik Buterin. 2016. Quadratic arithmetic programs: From zero to hero. https://medium.com/@VitalikButerin/quadratic-arithmetic-programs-from-zero-to-hero-f6d558cea649

[18]

Yanju Chen, Shankara Pailoor, Clara Rodriguez, Franklyn Wang, Jacob Van Gaffen, Jason Morton, Michael Chu, Brian Gu, Yu Feng, and Isil Dillig. 2023. Automated Detection of Underconstrained Circuits in Zero-Knowledge Proofs. Zenodo. https://doi.org/10.5281/zenodo.7776035

Digital Library

[19]

Collin Chin. 2021. LEO: A Programming Language for Formally Verified, Zero-Knowledge Applications. https://docs.zkproof.org/pages/standards/accepted-workshop4/proposal-leo.pdf

[20]

Michael Connor. 2021. Disclosure of recent vulnerabilities. https://hackmd.io/@aztec-network/disclosure-of-recent-vulnerabilities

[21]

Ricardo Corin and Jerry den Hartog. 2005. A Probabilistic Hoare-style logic for Game-based Cryptographic Proofs (Extended Version). http://eprint.iacr.org/2005/467 To appear in ICALP 2006 Track C [email protected] 13264 received 23 Dec 2005, last revised 26 Apr 2006

[22]

Craig Costello and Benjamin Smith. 2017. Montgomery curves and their arithmetic: The case of large characteristic fields. Cryptology ePrint Archive, Paper 2017/212. https://eprint.iacr.org/2017/212

[23]

Fredrick Dahlgren. 2022. It pays to be Circomspect. https://blog.trailofbits.com/2022/09/15/it-pays-to-be-circomspect/

[24]

Jacob Eberhardt and Stefan Tai. 2018. ZoKrates - Scalable Privacy-Preserving Off-Chain Computations. In 2018 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData). 1084–1091. https://doi.org/10.1109/Cybermatics_2018.2018.00199

[25]

electriccoin. 2019. Zcash Counterfeiting Vulnerability Successfully Remediated. https://electriccoin.co/blog/zcash-counterfeiting-vulnerability-successfully-remediated

[26]

Dario fiore and Ida Tucker. 2022. Efficient Zero-Knowledge Proofs on Signed Data with Applications to Verifiable Computation on Data Streams. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (CCS ’22). Association for Computing Machinery, New York, NY, USA. 1067–1080. isbn:9781450394505 https://doi.org/10.1145/3548606.3560630

Digital Library

[27]

Matthew Flatt and PLT. 2010. Reference: Racket. PLT Design Inc. https://racket-lang.org/tr1/

[28]

Martin Gagné, Pascal Lafourcade, and Yassine Lakhnech. 2013. Automated Security Proofs for Almost-Universal Hash for MAC verification. Cryptology ePrint Archive, Paper 2013/407. https://eprint.iacr.org/2013/407

[29]

Lior Goldberg, Shahar Papini, and Michael Riabzev. 2021. Cairo - a Turing-complete STARK-friendly CPU architecture. IACR Cryptol. ePrint Arch., 2021 (2021), 1063.

[30]

S Goldwasser, S Micali, and C Rackoff. 1985. The Knowledge Complexity of Interactive Proof-Systems. In Proceedings of the Seventeenth Annual ACM Symposium on Theory of Computing (STOC ’85). Association for Computing Machinery, New York, NY, USA. 291–304. isbn:0897911512 https://doi.org/10.1145/22145.22178

Digital Library

[31]

Lorenzo Grassi, Dmitry Khovratovich, Christian Rechberger, Arnab Roy, and Markus Schofnegger. 2021. Poseidon: A New Hash Function for Zero-Knowledge Proof Systems. In 30th USENIX Security Symposium (USENIX Security 21). USENIX Association, 519–535. isbn:978-1-939133-24-3 https://www.usenix.org/conference/usenixsecurity21/presentation/grassi

[32]

Jens Groth. 2016. On the Size of Pairing-based Non-interactive Arguments. Cryptology ePrint Archive, Paper 2016/260. https://eprint.iacr.org/2016/260

[33]

Thomas Hader. 2022. Non-linear SMT-reasoning over finite fields.

[34]

Iden3. 2018. SnarkJS. https://github.com/iden3/snarkjs

[35]

Wei Koh Jie. 2019. Private voting and whistleblowing on Ethereum using Semaphore. https://weijiek.medium.com/private-voting-and-whistleblowing-in-ethereum-using-semaphore-449b376808e

[36]

Don Johnson, Alfred Menezes, and Scott Vanstone. 2001. The Elliptic Curve Digital Signature Algorithm (ECDSA). Int. J. Inf. Secur., 1, 1 (2001), aug, 36–63. issn:1615-5262 https://doi.org/10.1007/s102070100002

Digital Library

[37]

Matter-Labs. 2022. Zinc. https://github.com/matter-labs/zinc

[38]

Tobias Nipkow, Markus Wenzel, and Lawrence Charles Paulson. 2002. Isabelle/HOL: A Proof Assistant for Higher-Order Logic.

[39]

Noir. 2022. Proof verification fails with a simple example. https://github.com/noir-lang/noir/issues/358

[40]

o1 Labs. 2022. Snarky: Write efficient, beautiful, safe zk-SNARK code. https://o1-labs.github.io/snarky/

[41]

Ceyhun Onur and Arda Yurdakul. 2022. ElectAnon: A Blockchain-Based, Anonymous, Robust and Scalable Ranked-Choice Voting Protocol.

[42]

Alex Ozdemir. 2022. CVC5-ff. https://github.com/alex-ozdemir/CVC4/tree/ff

[43]

Alex Ozdemir, Fraser Brown, and Riad S. Wahby. 2020. CirC: Compiler infrastructure for proof systems, software verification, and more. Cryptology ePrint Archive, Paper 2020/1586. https://eprint.iacr.org/2020/1586

[44]

Shankara Pailoor, Yanju Chen, Franklyn Wang, Clara Rodríguez, Jacob Van Gaffen, Jason Morton, Michael Chu, Brian Gu, Yu Feng, and Isil Dillig. 2023. Automated Detection of Underconstrained Circuits for Zero-Knowledge Proofs. Cryptology ePrint Archive, Paper 2023/512. https://doi.org/10.1145/3591282

Digital Library

[45]

Bryan Parno, Craig Gentry, Jon Howell, and Mariana Raykova. 2013. Pinocchio: Nearly Practical Verifiable Computation. Cryptology ePrint Archive, Paper 2013/279. https://eprint.iacr.org/2013/279

[46]

Torben P. Pedersen. 1991. Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing. In Proceedings of the 11th Annual International Cryptology Conference on Advances in Cryptology (CRYPTO ’91). Springer-Verlag, Berlin, Heidelberg. 129–140. isbn:3540551883

Digital Library

[47]

Nikolaj Sidorenco, Sabine Oechsner, and Bas Spitters. 2021. Formal security analysis of MPC-in-the-head zero-knowledge protocols. In 2021 IEEE 34th Computer Security Foundations Symposium (CSF). 1–14. https://doi.org/10.1109/CSF51468.2021.00050

[48]

Ashish Tiwari, Adria Gascon, and Bruno Dutertre. 2015. Program Synthesis Using Dual Interpretation. In Automated Deduction - CADE-25 - 25th International Conference on Automated Deduction, Berlin, Germany, August 1-7, 2015, Proceedings (LNCS, Vol. 9195). 482–497. https://doi.org/10.1007/978-3-319-21401-6_33

[49]

TornadoCash. 2019. Introducing Private Transactions On Ethereum NOW!. https://tornado-cash.medium.com/introducing-private-transactions-on-ethereum-now-42ee915babe0

[50]

TornadoCash. 2019. Tornado.cash got hacked. By us. https://tornado-cash.medium.com/tornado-cash-got-hacked-by-us-b1e012a3c9a8

[51]

Tornado.cash. 2019. Tornado.cash got hacked. by Us. https://tornado-cash.medium.com/tornado-cash-got-hacked-by-us-b1e012a3c9a8

[52]

trailofbits. 2022. The Frozen Heart vulnerability in Bulletproofs. https://blog.trailofbits.com/2022/04/15/the-frozen-heart-vulnerability-in-bulletproof

Cited By

Wang ZMa PWang HWang S(2024)PP-CSA: Practical Privacy-Preserving Software Call Stack AnalysisProceedings of the ACM on Programming Languages10.1145/36498568:OOPSLA1(1264-1293)Online publication date: 29-Apr-2024
https://dl.acm.org/doi/10.1145/3649856
Ye ZMisra UCheng JZhou WSong D(2024)Specular: Towards Secure, Trust-minimized Optimistic Blockchain Execution2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00175(3943-3960)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00175
Isabel MRodríguez-Núñez CRubio A(2024)Scalable Verification of Zero-Knowledge Protocols2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00133(1794-1812)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00133
Show More Cited By

Index Terms

Automated Detection of Under-Constrained Circuits in Zero-Knowledge Proofs
1. Theory of computation

Recommendations

Adaptive Zero-Knowledge Proofs and Adaptively Secure Oblivious Transfer
In the setting of secure computation, a set of parties wish to securely compute some function of their inputs, in the presence of an adversary. The adversary in question may be static (meaning that it controls a predetermined subset of the parties) or ...
An Unconditional Study of Computational Zero Knowledge

We prove a number of general theorems about ZK, the class of problems possessing (computational) zero-knowledge proofs. Our results are unconditional, in contrast to most previous works on ZK, which rely on the assumption that one-way functions exist. ...
On Relationships between Statistical Zero-Knowledge Proofs

This paper solves several fundamental open problems about statistical zero-knowledge interactive proofs (SZKIPs). The following two theorems are proven: If language L has a statistical zero-knowledge interactive proof against an honest verifier, then L ...

Comments

Information & Contributors

Information

Published In

cover image Proceedings of the ACM on Programming Languages

Proceedings of the ACM on Programming Languages Volume 7, Issue PLDI

June 2023

2020 pages

EISSN:2475-1421

DOI:10.1145/3554310

Editor:
Michael Hicks
Amazon, USA

Issue’s Table of Contents

Copyright © 2023 Owner/Author.

This work is licensed under a Creative Commons Attribution 4.0 International License.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 June 2023

Published in PACMPL Volume 7, Issue PLDI

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Badges

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
1,142
Total Downloads

Downloads (Last 12 months)658
Downloads (Last 6 weeks)64

Reflects downloads up to 08 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Wang ZMa PWang HWang S(2024)PP-CSA: Practical Privacy-Preserving Software Call Stack AnalysisProceedings of the ACM on Programming Languages10.1145/36498568:OOPSLA1(1264-1293)Online publication date: 29-Apr-2024
https://dl.acm.org/doi/10.1145/3649856
Ye ZMisra UCheng JZhou WSong D(2024)Specular: Towards Secure, Trust-minimized Optimistic Blockchain Execution2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00175(3943-3960)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00175
Isabel MRodríguez-Núñez CRubio A(2024)Scalable Verification of Zero-Knowledge Protocols2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00133(1794-1812)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00133
Ozdemir APailoor SBassa AFerles KBarrett CDillig I(2024)Split Gröbner Bases for Satisfiability Modulo Finite FieldsComputer Aided Verification10.1007/978-3-031-65627-9_1(3-25)Online publication date: 26-Jul-2024
https://doi.org/10.1007/978-3-031-65627-9_1
Coglio AMcCarthy ESmith E(2023)Formal Verification of Zero-Knowledge CircuitsElectronic Proceedings in Theoretical Computer Science10.4204/EPTCS.393.9393(94-112)Online publication date: 14-Nov-2023
https://doi.org/10.4204/EPTCS.393.9

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Figures

Tables

Media

View Issue’s Table of Contents