A toolbox for zkSNARKs on Ethereum



Join the chat at https://gitter.im/ZoKrates/Lobby CircleCI develop

ZoKrates is a toolbox for zkSNARKs on Ethereum.

This is a proof-of-concept implementation. It has not been tested for production.

Getting Started

Load the ZoKrates Plugin on Remix to write your first SNARK program!

Alternatively, you can install the ZoKrates CLI:

curl -LSfs get.zokrat.es | sh

Have a look at the documentation for more information about using ZoKrates. Get started, then try a tutorial!

Getting Help

If you run into problems, ZoKrates has a Gitter room.


ZoKrates is released under the GNU Lesser General Public License v3.


We happily welcome contributions. You can either pick an existing issue or reach out on Gitter.

Unless you explicitly state otherwise, any contribution you intentionally submit for inclusion in the work shall be licensed as above, without any additional terms or conditions.

Git Hooks

You can enable zokrates git hooks locally by running:

git config core.hooksPath .githooks
  • testing proof with web3js

    testing proof with web3js

    I have been playing with ZoKrates for a few days but I can't achieve a verification process with a true statement. It is alway FALSE I tried to follow the tutorial of the readme but I encountered some difficulties: the verification always returns "false". I mean, of course, I should use the toolbox with a wrong way

    This is the basic code I want to test:

    def main(x,private s1,private s2):
        s1 + s2 + x == 15
        return 1

    Then when I generate proof I have this output:

    Generating proof...
    Using Witness: {"~one": 1, "x": 5, "~out_0": 1, "s2": 5, "s1": 5}
    Public inputs: [1, 5, 1]
    Private inputs: [5, 5]
    * Elements of w skipped: 0 (-nan%)
    * Elements of w processed with special addition: 0 (-nan%)
    * Elements of w remaining: 0 (-nan%)
    * Elements of w skipped: 0 (-nan%)
    * Elements of w processed with special addition: 0 (-nan%)
    * Elements of w remaining: 0 (-nan%)
    * Elements of w skipped: 0 (0.00%)
    * Elements of w processed with special addition: 1 (25.00%)
    * Elements of w remaining: 3 (75.00%)
    * Elements of w skipped: 0 (0.00%)
    * Elements of w processed with special addition: 1 (25.00%)
    * Elements of w remaining: 3 (75.00%)
    * G1 elements in proof: 7
    * G2 elements in proof: 1
    * Proof size in bits: 2294
    A = 0x17ae0464d4c0d1937fee027b520ca9ec7ee4f2abf70b52a75c636d6735005392, 0x281134f906ab1cb3011cb6207a1f9ef5398045af52c3eff8e9db9f50c8cf3828
    A_p = 0x1ac693cdd14a1206f930729a929b3b39721f838446061af6311c4ed30c428426, 0x2712e90c78ec9e0e5ccf3356e23855484c4073bb274194635b612b63f4ac8be3
    B = [0x883a4f310a3966a5cb139b59288c78aa8a8a9a8b4bf48792420d5184f8fb8b5, 0x201d60787fd856c24e7b45dab7cb41a79ff348153683dbf82b5d77d14e168ae5], [0x1d9ccf0e5d091b85a795d74abc13625e531cb65115589b999c9c0e05b7310920, 0x21a3beba1014556c091197668c9380cc37e420b4232fa5c35a175ee00bfe92f4]
    B_p = 0x1d0c580e2431894c97e6bee5de2e396477beabebeb4606c21d241328d0ca139d, 0x2add4d48ef20738cf6540cc530bf80948bd6cb8b180cf4a3ec412e0dc58fe3de
    C = 0x20ba1cacf4ebbc3c1c29d11946b1c38151cb44d0803d628fa69e1ae8e930e7c7, 0x1dc6686abe23aa65b1653fab516386b86d7deae2ac817cf7fb3d89ad4d1da8ca
    C_p = 0xb292b7ab8b91c84eb61338fa9837465d94e3e82c1e029c55b4d754161242b13, 0x15f60d3a7192a31f6da6804e960cbd13198a710f14c4860fd5ea1453eb2cf131
    H = 0x2621bd887a4e502ae5d9660a56702be8a7567bee0507d8af711be5fca888ff88, 0x2e905b72b811929ea2475d8c0df0a5815e329aebe787a37cf62a60ba4dad0c5c
    K = 0xf1bd7f2d6fe7efcb5480bd8743c359153dc73153039f0c76c90b62431ca1ac2, 0x151b78bf375d6d20a2f242e70db41d25183a594632e553f97d27570d15551ff
    generate-proof successful: true

    (I used as value for x = 5, s1 = 5, s2 = 5 )

    Here I am confused, the length of public inputs is 3 but in my verifier.sol generated the array expected in verifyTx is of length 2 ...

    Then, I deploy verifier.sol & SumsToFifteen.sol (please find them attached), and I try to test the result of my proof with the web3js script verifier.js (but it is always false):

    proof: 0
    success: false

    Please, could you help me to find a way to make all this stuff working?

    Thank's in advance


    • in verifier.js I try all kind of mix for I (I=[1, 5 ,1], I=[1, 5], I=[5,1], ...)


      referenced obviously to the contract address of the SumsToFifteen.sol

    • I've also tried to change the length of the input both files SumToFifteen.sol and verify.sol to 2 without any success

    verifier.js verifier.sol SumsToFifteen.sol

    opened by ariary 17
  • MiMCSponge and MiMC7 implementation for stdlib

    MiMCSponge and MiMC7 implementation for stdlib


    This implements the MiMCSponge hashing into the stdlib. The reference implementation this is based on, can be found here. For testing I've created a quick repo that runs the reference implementation with circom, can be found here.


    I'm a bit unsure what the input and output configurations should be set to. Currently, like in the reference, two inputs and three outputs, with 220 feistel rounds are configured, but I'm not sure what the proper settings should be, so it's up for discussion.


    Using this, with the configuration stated above, 2647 constraints are created


    Adds mimc7 hashing algo to the stdlib. The reference implementation this is based on can be found here

    Things to note:

    • The reference implementation is slightly more efficient (regarding constraints). Because ZoKrates doesn't support lazy evaluation, the t7 array has to be one element longer and a separate index counter has to be defined in the loop to prevent an out of bounds error. It's not the prettiest solution, but it was the most efficient solution I could come up with.
    • Implementation was tested with comparing hashes to the reference implementation, which were always the same, also with overflows, passing p and other edge cases.
    • The number of rounds can be set up to 91. I wasn't sure how many rounds are optimal, so I created a number of them.

    Constraints for hashing:

    • mimc7R10: 42
    • mimc7R20: 82
    • mimc7R50: 202
    • mimc7R90: 362
    opened by petscheit 8
  • associativity of subtraction of field values with function calls is wrong

    associativity of subtraction of field values with function calls is wrong

    This is best demonstrated by a test case:

    def x() -> (field):
      return 3
    def main() -> (field):
      // These all work
      7 == 10 - x()
      8 == 10 + 1 - x()
      8 == 10 - 3 + 1
      8 == (10 - 3) + 1
      8 == (10 - x()) + 1
      8 == 10 - (x() - 1)
      // These are wrong
      8 == 10 - x() + 1
      6 == 10 - x() - 1
      return 1

    All of these assertions should pass; however the final two fail:

    setup successful: true
    Computing witness for:
    def main():
            7 == 7
            8 == 8
            8 == 8
            8 == 8
            8 == 8
            8 == 8
            8 == 6
            6 == 8
            return 1
    thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: Error { message: "Condition not satisfied: 8 should equal 6" }', libcore/result.rs:945:5
    note: Run with `RUST_BACKTRACE=1` for a backtrace.

    It seems that 10 - x() + 1 is interpreted as 10 - (x() + 1) rather than (10 - x()) + 1. I guess it's a problem with the way associativity is handled in combination with subtraction. Taking a wild guess, maybe it's an issue with flatten_field_expression()? But I never looked at Zokrates before this weekend, and only looked at the implementation for 30 minutes or so, so take that guess with a large pinch of salt ;-)

    This bug was found in partnership with @GuthL, so thanks to him for being a great partner in crime :-)

    Type: Bug 
    opened by aspiers 8
  • Unable to use the exported smart contract

    Unable to use the exported smart contract

    I am using truffle to export the generated smart contract for factorization.code. Versions

    Truffle v4.1.5 (core: 4.1.5)
    Solidity v0.4.21 (solc-js)

    I am able to compile (with warning though but are addressed here https://github.com/JacobEberhardt/ZoKrates/pull/49) and deploy the contract but when i try to test it, i get error

    (function (exports, require, module, __filename, __dirname) { pragma solidity ^0.4.14;

    The test is here and the contract is here

    Also i don't understand which contracts are being called at https://github.com/lovesh/ZoKrates/blob/develop/src/verification.rs#L49, https://github.com/lovesh/ZoKrates/blob/develop/src/verification.rs#L64 and https://github.com/lovesh/ZoKrates/blob/develop/src/verification.rs#L91

    As i understand, the second argument to call is supposed to be contract address, but they don't seem like contract address, are they? If yes, then can you please point me to those contracts or relevant sections of solidity documentation. Thanks

    Type: Bug 
    opened by lovesh 8
  • Output IR in smtlib2

    Output IR in smtlib2

    Just checking whether this is wanted in the project, I'm using it locally anyway.

    In case it is, this PR is still missing

    • [x] Conjunction on the function level
    • [x] Header including variable declaration
    • [x] Tests
    opened by leonardoalt 7
  • ztf file is not generated when light flag is used

    ztf file is not generated when light flag is used

    I think *.ztf files should be always generated, but the light flag should be a way to disable logging bigger programs to the console (so the output is less verbose).

    Current implementation skips the generation of the *.ztf file when light flag is used. Other solution would be to introduce a new flag verbose for the logging but keep the light flag as is.

    opened by dark64 7
  • Rename Source Code File Ending .code -> .zok

    Rename Source Code File Ending .code -> .zok

    The .code file extension is generic and users asked for a change. I propose to change the file ending to .zok

    Before that, we should remove file extensions from import statements.

    help wanted Good First Issue Priority: Medium 
    opened by JacobEberhardt 7
  • Updates ABI Encoder #201

    Updates ABI Encoder #201

    Updates the ABIEncoder to v2, which enables us to pass structs as parameters to functions. Simplifies the Verifier.sol a bit and is also needed for application tests (takes a lot of complexity out of the testing script because I can simply pass the proof object from the proof.json instead of parsing every value separately when calling verifyTx)

    opened by petscheit 7
  • [Runtime Crash] Symbol splitting not working correctly in subroutines

    [Runtime Crash] Symbol splitting not working correctly in subroutines

    Assume the following sample code I want to create a witness for (I stripped off meaningful things for simplicity):

    def sub():
      foo = if 1 < 2 then 1 else 2 fi
      return 1
    def main():
       return sub()

    It compiles fine. However computing a witness leads to the following error:

    thread 'main' panicked at 'no entry found for key', libcore/option.rs:917:5
    note: Run with `RUST_BACKTRACE=1` for a backtrace.

    In particular I believe that this line causes the crash. Printing var_name and inputs, I can see that:

    Inputs: {"sub_i0o1_1_sym_0": 1, "sub_i0o1_1_sym_1": 2, "sub_i0o1_1_sym_2": 21888242871839275222246405745257275088548364400416034343698204186575808495615, "~one": 1}
    Variable name: "sym_2"

    sym_2 does not exist and we therefore crash. I assume that either sub_i0o1_1_sym_2 in inputs should be sym_2 (without the subroutine prefix) or sym_2 should be prefixed accordingly.

    Type: Bug 
    opened by fleupold 7
  • Add sha256 from libsnark

    Add sha256 from libsnark

    This PR adds sha256 witness generation, constraint generation directly from libsnark. Thanks to @kobigurk for help with this.

    It also includes wraplibsnark.cpp upgrade to support the latest version of libsnark.

    This brakes ZoKrates as exportInput , _setup and _generate_proof functions were replaced with place holders as i could not see easily how to port this code.

    The build process is changed slightly so remember to run git submodule update --init --recursive before cargo +nightly build

    This change breaks the docker setup.

    The thinking is that @JacobEberhardt will take over from here and use the _sha256Constraints and _sha256Witness functions i provide to integrate sha256 in ZoKrates at a cost of ~27k constraints. Which is much better than our native implementation ~500k constraints. Which will hopefully make merkle trees practical in ZoKrates.

    opened by barryWhiteHat 7
  • Make private inputs explicit

    Make private inputs explicit


    The way private inputs are treated is different from public ones:

    • Private inputs are implicit, public inputs are explicit:
    def main(c):
      c == a * b
      return 1
    • Public inputs are passed as arguments in compute-witness, while private inputs are passed interactively
    • It makes it hard to use compute-witness programatically
    • It gives no way to list private inputs without solving the R1CS


    We think they should be explicit:

    def main(c | a,b):
      c == a * b
      return 1


    1. Make it possible to pass private inputs as arguments in compute-witness rather than interactively (the interactive mode should be activated by a flag)
    2. Make it possible to specify explicit private inputs in .code files
    3. Ban implicit private inputs from .code files

    Thoughts welcome :)

    opened by Schaeff 7
  • Split `zokrates_bellman` crate in PlonK branch

    Split `zokrates_bellman` crate in PlonK branch

    Depends on #1249

    To make the Groth16 MPC trusted setup work, we need to depend on two versions of bellman_ce. I implemented this by splitting the zokrates_bellman crate.

    Also, I went through the failing tests and fixed as many as possible.

    This is an overview of the changes:

    • zokrates_bellman: Now depends on the matter-labs version of bellman again, commented in code in the Groth16 scheme, removed PlonK
    • zokrates_bellman_plonk: A new crate that depends on our fork of bellman
      • lib.rs: Is essentially a copy of zokrates_bellman/src/lib.rs, except that it depends on a different bellman crate and uses the BellmanPlonkFieldExtensions instead of BellmanFieldExtensions
      • plonk.rs: Implementation of the PlonK scheme
    • zokrates_cli: Now depends also on the zokrates_bellman_plonk crate, commented in the MPC implementation of the Groth16 trusted setup, added PlonK to integration tests
    • zokrates_field:
      • Now depends on both bellman crates and defines the BellmanPlonkFieldExtensions trait in addition to BellmanFieldExtensions
      • Adjusted the bellman_extensions! macro and implemented BellmanPlonkFieldExtensions for all curves that previously implemented the BellmanFieldExtensions
    • zokrates_proof_systems: Fixed a bug where solidity verifiers were rendered incorrectly, triggered by a previous refactoring of the Fq2 and GAffine data types.
    • Fixed a few clippy errors

    The diff between zokrates_bellman/src/lib.rs and zokrates_bellman_plonk/src/lib.rs is quite small. It could be implemented using a macro (although I'm not sure in which crate it should be defined), let me know if I should do that :)

    opened by georgwiese 0
  • Bump secp256k1 from 0.22.1 to 0.22.2

    Bump secp256k1 from 0.22.1 to 0.22.2

    Bumps secp256k1 from 0.22.1 to 0.22.2.


    Sourced from secp256k1's changelog.

    0.22.2 - 2022-12-05


    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies rust 
    opened by dependabot[bot] 0
  • Add JubJub curve to stdlib to support signature verification on curve bl12_381

    Add JubJub curve to stdlib to support signature verification on curve bl12_381


    Zokrates supports proof generation based on the bl12_381 curve. However, in order verify a signature on the bl12_381 a user have to implement the jubjub embedded curve from scratch. There is also


    Similarly to the baby jujub, the adding an instance of the jubjub curve in the stdlib would simplify the signature verification for the curve bl12_381.


    Add jubjubParams.zok in the ecc package of zokrates_stdlib

    Backwards Compatibility

    This feature should not introduce any backward compatibility. Users who would like to use this feature would have to update Zokrates to a newer version, or copy and edit the source code according to their local version.

    opened by alvaro-alonso 0
  • Plonk: Add solidity verifier

    Plonk: Add solidity verifier

    The main changes are:

    • zokrates_bellman:
      • plonk.rs: serialize_vk() now pre-computes omega. This is redundant, but needed to render the solidity verifier.
    • zokrates_cli:
      • tests/integration.rs: Adjusted the test_compile_and_witness_dir test to run only for plonk. It should pass now, testing the full pipeline, including proof verification in solidity.
    • zokrates_proof_systems:
      • Added solidity_renderer.rs, which is an adjusted version from this code from matter-labs.
        • See this link for a comparison between 037ec0acc82b23e782ee0243e0b0405e48ca7062 (when I copied the original file from the matter-labs repo) and the current head of georgwiese:plonk-add-verifier.
      • PlonkVerifier.sol: The Plonk solidity template, copied and adjusted from this code from matter-labs.
      • scheme/plonk.rs: This file moved to the zokrates_bellman create, as mentioned above.
      • to_token.rs: Some refactorings
    • Removed some unused imports.

    To test, run:

    $ cargo test --package zokrates_cli -- --nocapture test_compile_and_witness_dir --ignored
    opened by georgwiese 1
An experimental rust zksnarks compiler with embeeded bellman-bn128 prover

Za! An experimental port of the circom zk-SNARK compiler in Rust with embedded bellman-bn128 prover. I created it as a PoC port of the existing JavaSc

adria0.eth 39 Aug 26, 2022
Confidential credit scores and loan disbursal, powered by zkSNARKs and NEAR Protocol

zkLoans zkLoans brings confidential Credit Scores. It proves to a counterparty if you meet threshold requirements for a credit score without revealing

Anirudha Bose 2 Sep 13, 2022
Substreams development kit for Ethereum chains, contains Firehose Block model and helpers as well as utilities for Ethereum ABI encoding/decoding.

Substreams Ethereum Substreams development kit for Ethereum chains, contains Rust Firehose Block model and helpers as well as utilities for Ethereum A

StreamingFast 15 Oct 25, 2022
Ethereum (and Ethereum like) indexer using P2P message to fetch blocks and transactions

Ethereum P2P indexer This project is an indexer for Ethereum and Ethereum forks. It takes advantage of the ETH (Ethereum Wire Protocol) to fetch block

null 5 Nov 10, 2023
Custom Ethereum vanity address generator made in Rust

ethaddrgen Custom Ethereum address generator Get a shiny ethereum address and stand out from the crowd! Disclaimer: Do not use the private key shown i

Jakub Hlusička 153 Dec 27, 2022
Rust Ethereum 2.0 Client

Lighthouse: Ethereum 2.0 An open-source Ethereum 2.0 client, written in Rust and maintained by Sigma Prime. Documentation Overview Lighthouse is: Read

Sigma Prime 2.1k Jan 6, 2023
Parity-Bridge — Bridge between any two ethereum-based networks

Deprecated Bridges This repo is deprecated. Originally it contained the ETH <> ETH-PoA bridge (see tumski tag). Later it was repurposed for ETH-PoA <>

Parity Technologies 314 Nov 25, 2022
The fast, light, and robust client for the Ethereum mainnet.

OpenEthereum Fast and feature-rich multi-network Ethereum client. » Download the latest release « Table of Contents Description Technical Overview Bui

OpenEthereum 1.6k Dec 28, 2022
An Ethereum 2.0 Emulator for Local Testing of Eth2 Applications

Mousse is an Ethereum 2.0 emulator for local testing of Eth2 applications (mainly Rollups). HTTP Server The REST API definition can be found in the ht

Mousse 46 Sep 10, 2022
C++ `std::unique_ptr` that represents each object as an NFT on the Ethereum blockchain

C++ `std::unique_ptr` that represents each object as an NFT on the Ethereum blockchain

null 1.9k Dec 28, 2022
Rust client to Opensea's APIs and Ethereum smart contracts

opensea.rs Rust bindings & CLI to the Opensea API and Contracts CLI Usage Run cargo r -- --help to get the top level help menu: opensea-cli 0.1.0 Choo

Georgios Konstantopoulos 226 Dec 27, 2022
Ethereum Improvement Proposal Validator

EIP validator An engine which ensures Ethereum Improvement Proposals meet certain requirements. Getting Started To install eipv and validate the EIPs

null 4 Dec 6, 2021
Terra Trophies is a copy of Ethereum's POAP project for Terra

Terra Trophies Terra Trophies is a copy of Ethereum's POAP project for Terra. It allows anyone to create digital badges for participants of events, or

larry.{ust,sol,thor} 18 Dec 7, 2022
An Ethereum compatible Substrate blockchain for bounties and governance for the Devcash community.

Substrate Node Template A fresh FRAME-based Substrate node, ready for hacking ?? Getting Started Follow the steps below to get started with the Node T

null 4 Mar 30, 2022
Scans the Ethereum network for USDT ERC-20 token transfer transactions

ethscan This is a Rust command line program for scanning the Ethereum blockchain for USDT transfers within a time span and amount span. prerequisites

Frank Buss 4 Oct 6, 2022
Terabethia - A Bridge and Messaging Protocol between Ethereum and the Internet Computer.

Terabethia - A Bridge Between Ethereum & the Internet Computer Terabethia is a bridge between Ethereum & the Internet Computer that contracts in both

Psychedelic 36 Dec 26, 2022
Emerging smart contract language for the Ethereum blockchain.

Emerging smart contract language for the Ethereum blockchain.

null 1.4k Jan 9, 2023
zkSync: trustless scaling and privacy engine for Ethereum

zkSync: scaling and privacy engine for Ethereum zkSync is a scaling and privacy engine for Ethereum. Its current functionality scope includes low gas

Matter Labs 1.9k Jan 1, 2023
Bellman zkSNARK library for community with Ethereum's BN256 support

bellman "Community edition" Originally developed for ZCash, with extensions from us to make it a little more pleasant. Uses our "community edition" pa

Matter Labs 113 Dec 29, 2022