A toolbox for zkSNARKs on Ethereum



Join the chat at https://gitter.im/ZoKrates/Lobby CircleCI develop

ZoKrates is a toolbox for zkSNARKs on Ethereum.

This is a proof-of-concept implementation. It has not been tested for production.

Getting Started

Load the ZoKrates Plugin on Remix to write your first SNARK program!

Alternatively, you can install the ZoKrates CLI:

curl -LSfs get.zokrat.es | sh

Have a look at the documentation for more information about using ZoKrates. Get started, then try a tutorial!

Getting Help

If you run into problems, ZoKrates has a Gitter room.


ZoKrates is released under the GNU Lesser General Public License v3.


We happily welcome contributions. You can either pick an existing issue or reach out on Gitter.

Unless you explicitly state otherwise, any contribution you intentionally submit for inclusion in the work shall be licensed as above, without any additional terms or conditions.

Git Hooks

You can enable zokrates git hooks locally by running:

git config core.hooksPath .githooks
  • testing proof with web3js

    testing proof with web3js

    I have been playing with ZoKrates for a few days but I can't achieve a verification process with a true statement. It is alway FALSE I tried to follow the tutorial of the readme but I encountered some difficulties: the verification always returns "false". I mean, of course, I should use the toolbox with a wrong way

    This is the basic code I want to test:

    def main(x,private s1,private s2):
        s1 + s2 + x == 15
        return 1

    Then when I generate proof I have this output:

    Generating proof...
    Using Witness: {"~one": 1, "x": 5, "~out_0": 1, "s2": 5, "s1": 5}
    Public inputs: [1, 5, 1]
    Private inputs: [5, 5]
    * Elements of w skipped: 0 (-nan%)
    * Elements of w processed with special addition: 0 (-nan%)
    * Elements of w remaining: 0 (-nan%)
    * Elements of w skipped: 0 (-nan%)
    * Elements of w processed with special addition: 0 (-nan%)
    * Elements of w remaining: 0 (-nan%)
    * Elements of w skipped: 0 (0.00%)
    * Elements of w processed with special addition: 1 (25.00%)
    * Elements of w remaining: 3 (75.00%)
    * Elements of w skipped: 0 (0.00%)
    * Elements of w processed with special addition: 1 (25.00%)
    * Elements of w remaining: 3 (75.00%)
    * G1 elements in proof: 7
    * G2 elements in proof: 1
    * Proof size in bits: 2294
    A = 0x17ae0464d4c0d1937fee027b520ca9ec7ee4f2abf70b52a75c636d6735005392, 0x281134f906ab1cb3011cb6207a1f9ef5398045af52c3eff8e9db9f50c8cf3828
    A_p = 0x1ac693cdd14a1206f930729a929b3b39721f838446061af6311c4ed30c428426, 0x2712e90c78ec9e0e5ccf3356e23855484c4073bb274194635b612b63f4ac8be3
    B = [0x883a4f310a3966a5cb139b59288c78aa8a8a9a8b4bf48792420d5184f8fb8b5, 0x201d60787fd856c24e7b45dab7cb41a79ff348153683dbf82b5d77d14e168ae5], [0x1d9ccf0e5d091b85a795d74abc13625e531cb65115589b999c9c0e05b7310920, 0x21a3beba1014556c091197668c9380cc37e420b4232fa5c35a175ee00bfe92f4]
    B_p = 0x1d0c580e2431894c97e6bee5de2e396477beabebeb4606c21d241328d0ca139d, 0x2add4d48ef20738cf6540cc530bf80948bd6cb8b180cf4a3ec412e0dc58fe3de
    C = 0x20ba1cacf4ebbc3c1c29d11946b1c38151cb44d0803d628fa69e1ae8e930e7c7, 0x1dc6686abe23aa65b1653fab516386b86d7deae2ac817cf7fb3d89ad4d1da8ca
    C_p = 0xb292b7ab8b91c84eb61338fa9837465d94e3e82c1e029c55b4d754161242b13, 0x15f60d3a7192a31f6da6804e960cbd13198a710f14c4860fd5ea1453eb2cf131
    H = 0x2621bd887a4e502ae5d9660a56702be8a7567bee0507d8af711be5fca888ff88, 0x2e905b72b811929ea2475d8c0df0a5815e329aebe787a37cf62a60ba4dad0c5c
    K = 0xf1bd7f2d6fe7efcb5480bd8743c359153dc73153039f0c76c90b62431ca1ac2, 0x151b78bf375d6d20a2f242e70db41d25183a594632e553f97d27570d15551ff
    generate-proof successful: true

    (I used as value for x = 5, s1 = 5, s2 = 5 )

    Here I am confused, the length of public inputs is 3 but in my verifier.sol generated the array expected in verifyTx is of length 2 ...

    Then, I deploy verifier.sol & SumsToFifteen.sol (please find them attached), and I try to test the result of my proof with the web3js script verifier.js (but it is always false):

    proof: 0
    success: false

    Please, could you help me to find a way to make all this stuff working?

    Thank's in advance


    • in verifier.js I try all kind of mix for I (I=[1, 5 ,1], I=[1, 5], I=[5,1], ...)


      referenced obviously to the contract address of the SumsToFifteen.sol

    • I've also tried to change the length of the input both files SumToFifteen.sol and verify.sol to 2 without any success

    verifier.js verifier.sol SumsToFifteen.sol

    opened by ariary 17
  • MiMCSponge and MiMC7 implementation for stdlib

    MiMCSponge and MiMC7 implementation for stdlib


    This implements the MiMCSponge hashing into the stdlib. The reference implementation this is based on, can be found here. For testing I've created a quick repo that runs the reference implementation with circom, can be found here.


    I'm a bit unsure what the input and output configurations should be set to. Currently, like in the reference, two inputs and three outputs, with 220 feistel rounds are configured, but I'm not sure what the proper settings should be, so it's up for discussion.


    Using this, with the configuration stated above, 2647 constraints are created


    Adds mimc7 hashing algo to the stdlib. The reference implementation this is based on can be found here

    Things to note:

    • The reference implementation is slightly more efficient (regarding constraints). Because ZoKrates doesn't support lazy evaluation, the t7 array has to be one element longer and a separate index counter has to be defined in the loop to prevent an out of bounds error. It's not the prettiest solution, but it was the most efficient solution I could come up with.
    • Implementation was tested with comparing hashes to the reference implementation, which were always the same, also with overflows, passing p and other edge cases.
    • The number of rounds can be set up to 91. I wasn't sure how many rounds are optimal, so I created a number of them.

    Constraints for hashing:

    • mimc7R10: 42
    • mimc7R20: 82
    • mimc7R50: 202
    • mimc7R90: 362
    opened by petscheit 8
  • associativity of subtraction of field values with function calls is wrong

    associativity of subtraction of field values with function calls is wrong

    This is best demonstrated by a test case:

    def x() -> (field):
      return 3
    def main() -> (field):
      // These all work
      7 == 10 - x()
      8 == 10 + 1 - x()
      8 == 10 - 3 + 1
      8 == (10 - 3) + 1
      8 == (10 - x()) + 1
      8 == 10 - (x() - 1)
      // These are wrong
      8 == 10 - x() + 1
      6 == 10 - x() - 1
      return 1

    All of these assertions should pass; however the final two fail:

    setup successful: true
    Computing witness for:
    def main():
            7 == 7
            8 == 8
            8 == 8
            8 == 8
            8 == 8
            8 == 8
            8 == 6
            6 == 8
            return 1
    thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: Error { message: "Condition not satisfied: 8 should equal 6" }', libcore/result.rs:945:5
    note: Run with `RUST_BACKTRACE=1` for a backtrace.

    It seems that 10 - x() + 1 is interpreted as 10 - (x() + 1) rather than (10 - x()) + 1. I guess it's a problem with the way associativity is handled in combination with subtraction. Taking a wild guess, maybe it's an issue with flatten_field_expression()? But I never looked at Zokrates before this weekend, and only looked at the implementation for 30 minutes or so, so take that guess with a large pinch of salt ;-)

    This bug was found in partnership with @GuthL, so thanks to him for being a great partner in crime :-)

    Type: Bug 
    opened by aspiers 8
  • Unable to use the exported smart contract

    Unable to use the exported smart contract

    I am using truffle to export the generated smart contract for factorization.code. Versions

    Truffle v4.1.5 (core: 4.1.5)
    Solidity v0.4.21 (solc-js)

    I am able to compile (with warning though but are addressed here https://github.com/JacobEberhardt/ZoKrates/pull/49) and deploy the contract but when i try to test it, i get error

    (function (exports, require, module, __filename, __dirname) { pragma solidity ^0.4.14;

    The test is here and the contract is here

    Also i don't understand which contracts are being called at https://github.com/lovesh/ZoKrates/blob/develop/src/verification.rs#L49, https://github.com/lovesh/ZoKrates/blob/develop/src/verification.rs#L64 and https://github.com/lovesh/ZoKrates/blob/develop/src/verification.rs#L91

    As i understand, the second argument to call is supposed to be contract address, but they don't seem like contract address, are they? If yes, then can you please point me to those contracts or relevant sections of solidity documentation. Thanks

    Type: Bug 
    opened by lovesh 8
  • Output IR in smtlib2

    Output IR in smtlib2

    Just checking whether this is wanted in the project, I'm using it locally anyway.

    In case it is, this PR is still missing

    • [x] Conjunction on the function level
    • [x] Header including variable declaration
    • [x] Tests
    opened by leonardoalt 7
  • ztf file is not generated when light flag is used

    ztf file is not generated when light flag is used

    I think *.ztf files should be always generated, but the light flag should be a way to disable logging bigger programs to the console (so the output is less verbose).

    Current implementation skips the generation of the *.ztf file when light flag is used. Other solution would be to introduce a new flag verbose for the logging but keep the light flag as is.

    opened by dark64 7
  • Rename Source Code File Ending .code -> .zok

    Rename Source Code File Ending .code -> .zok

    The .code file extension is generic and users asked for a change. I propose to change the file ending to .zok

    Before that, we should remove file extensions from import statements.

    help wanted Good First Issue Priority: Medium 
    opened by JacobEberhardt 7
  • Updates ABI Encoder #201

    Updates ABI Encoder #201

    Updates the ABIEncoder to v2, which enables us to pass structs as parameters to functions. Simplifies the Verifier.sol a bit and is also needed for application tests (takes a lot of complexity out of the testing script because I can simply pass the proof object from the proof.json instead of parsing every value separately when calling verifyTx)

    opened by petscheit 7
  • [Runtime Crash] Symbol splitting not working correctly in subroutines

    [Runtime Crash] Symbol splitting not working correctly in subroutines

    Assume the following sample code I want to create a witness for (I stripped off meaningful things for simplicity):

    def sub():
      foo = if 1 < 2 then 1 else 2 fi
      return 1
    def main():
       return sub()

    It compiles fine. However computing a witness leads to the following error:

    thread 'main' panicked at 'no entry found for key', libcore/option.rs:917:5
    note: Run with `RUST_BACKTRACE=1` for a backtrace.

    In particular I believe that this line causes the crash. Printing var_name and inputs, I can see that:

    Inputs: {"sub_i0o1_1_sym_0": 1, "sub_i0o1_1_sym_1": 2, "sub_i0o1_1_sym_2": 21888242871839275222246405745257275088548364400416034343698204186575808495615, "~one": 1}
    Variable name: "sym_2"

    sym_2 does not exist and we therefore crash. I assume that either sub_i0o1_1_sym_2 in inputs should be sym_2 (without the subroutine prefix) or sym_2 should be prefixed accordingly.

    Type: Bug 
    opened by fleupold 7
  • Add sha256 from libsnark

    Add sha256 from libsnark

    This PR adds sha256 witness generation, constraint generation directly from libsnark. Thanks to @kobigurk for help with this.

    It also includes wraplibsnark.cpp upgrade to support the latest version of libsnark.

    This brakes ZoKrates as exportInput , _setup and _generate_proof functions were replaced with place holders as i could not see easily how to port this code.

    The build process is changed slightly so remember to run git submodule update --init --recursive before cargo +nightly build

    This change breaks the docker setup.

    The thinking is that @JacobEberhardt will take over from here and use the _sha256Constraints and _sha256Witness functions i provide to integrate sha256 in ZoKrates at a cost of ~27k constraints. Which is much better than our native implementation ~500k constraints. Which will hopefully make merkle trees practical in ZoKrates.

    opened by barryWhiteHat 7
  • Make private inputs explicit

    Make private inputs explicit


    The way private inputs are treated is different from public ones:

    • Private inputs are implicit, public inputs are explicit:
    def main(c):
      c == a * b
      return 1
    • Public inputs are passed as arguments in compute-witness, while private inputs are passed interactively
    • It makes it hard to use compute-witness programatically
    • It gives no way to list private inputs without solving the R1CS


    We think they should be explicit:

    def main(c | a,b):
      c == a * b
      return 1


    1. Make it possible to pass private inputs as arguments in compute-witness rather than interactively (the interactive mode should be activated by a flag)
    2. Make it possible to specify explicit private inputs in .code files
    3. Ban implicit private inputs from .code files

    Thoughts welcome :)

    opened by Schaeff 7
  • The Internal Algorithm behind Zokrates

    The Internal Algorithm behind Zokrates

    HI, I am studying Zokrates for my thesis. I would really appreciate if I get some links that can explain the algorithms behind Zokrates. Like how the Verification_key, proof.json are created, the logic behind the verifier.sol.

    opened by zubayr1 0
  • Make end to end tests self contained in source file

    Make end to end tests self contained in source file


    We have a separate json file to specify tests along side a zok file. This would be better in a single file.


    It should be easier to write end to end tests.



    Backwards Compatibility


    opened by Schaeff 0
  • Better tools to create AST internally when writing tests

    Better tools to create AST internally when writing tests


    Writing internal tests is very verbose because of how precise the AST is. Introduce more succinct ways to build AST internally.


    Tests should be easier to write.



    Backwards Compatibility


    opened by Schaeff 0
  • Not able to make ZoKrates usage non interactive

    Not able to make ZoKrates usage non interactive

    I am a new user of the ZoKrates library. I am not clear about the sequence of the events taking place. (Let's Ignore the trusted setup step for now)

    The first step is to load Verification Id into the blockchain (Smart Contract) Then a prover comes up with proof and claims the output However, in both these steps, it's easy to capture (listen to mempool) and establish the relationship between Sender of Verification Id and Sender of Proof. And hence one can easily establish a relationship. Even this can easily be front run by any MEV bot.

    My requirement is just to break the relationship (non-interactive way) between the sender and receiver of the transaction. Output can be seen on the chain.

    Another option in ZoKrates is to prove the knowledge of the preimage of SHA256 or EdDSA Signature. But here again, anyone can listen to mempool and establish the relationship between Sender of Verification Id and Sender of Proof.

    Am I missing some basic steps, please help. I am using the below code (it's all working fine) just that I am not able to make all these non-interactive.

    For EdDSA signature inside ZoKrates ****************************

    from "ecc/babyjubjubParams" import BabyJubJubParams;
    import "signatures/verifyEddsa.zok" as verifyEddsa;
    import "ecc/babyjubjubParams.zok" as context;
    def main(private field[2] R, private field S, field[2] A, u32[8] M0, u32[8] M1) -> bool {
        BabyJubJubParams context = context();
        bool isVerified = verifyEddsa(R, S, A, M0, M1, context);
        return isVerified;

    For Proof Of preimage Knowledge****************************

    import "hashes/sha256/512bitPacked" as sha256packed;
    // def main(field value1, field value2 , private field a, private field b, private field c, private field d) -> bool {
    def main(field[2] value , private field[4] preimage) -> bool {
        // field[2] mut value = [203772347275113904407135746007417663121,66616246088195480745399082012482605937];
        // field[4] mut preImage = [387708,155717,887569,56533];
        return sha256packed(preimage)  == value;


    opened by shishirhome 0
  • Function visibility

    Function visibility


    Adding a function visibility feature would allow users to set a function to be private and local to the defining module.


    As all functions are exportable and public by default, it is possible to import functions that are not meant to be used directly (for various reasons eg. a function could have assumptions that are unknown to the user). This has happened before with some stdlib functions.


    private def func(...) -> { ... }

    We could also use some other term like local because in our case private has a specific meaning, which might cause confusion.

    Backwards Compatibility

    Depending on the implementation, should be compatible as long as the functions stay public by default.

    Type: Enhancement 
    opened by dark64 0
An experimental rust zksnarks compiler with embeeded bellman-bn128 prover

Za! An experimental port of the circom zk-SNARK compiler in Rust with embedded bellman-bn128 prover. I created it as a PoC port of the existing JavaSc

adria0.eth 39 Aug 26, 2022
Confidential credit scores and loan disbursal, powered by zkSNARKs and NEAR Protocol

zkLoans zkLoans brings confidential Credit Scores. It proves to a counterparty if you meet threshold requirements for a credit score without revealing

Anirudha Bose 2 Sep 13, 2022
Substreams development kit for Ethereum chains, contains Firehose Block model and helpers as well as utilities for Ethereum ABI encoding/decoding.

Substreams Ethereum Substreams development kit for Ethereum chains, contains Rust Firehose Block model and helpers as well as utilities for Ethereum A

StreamingFast 10 Sep 13, 2022
Custom Ethereum vanity address generator made in Rust

ethaddrgen Custom Ethereum address generator Get a shiny ethereum address and stand out from the crowd! Disclaimer: Do not use the private key shown i

Jakub Hlusička 144 Sep 5, 2022
Rust Ethereum 2.0 Client

Lighthouse: Ethereum 2.0 An open-source Ethereum 2.0 client, written in Rust and maintained by Sigma Prime. Documentation Overview Lighthouse is: Read

Sigma Prime 2k Sep 22, 2022
Parity-Bridge — Bridge between any two ethereum-based networks

Deprecated Bridges This repo is deprecated. Originally it contained the ETH <> ETH-PoA bridge (see tumski tag). Later it was repurposed for ETH-PoA <>

Parity Technologies 314 Sep 12, 2022
The fast, light, and robust client for the Ethereum mainnet.

OpenEthereum Fast and feature-rich multi-network Ethereum client. » Download the latest release « Table of Contents Description Technical Overview Bui

OpenEthereum 1.6k Sep 21, 2022
An Ethereum 2.0 Emulator for Local Testing of Eth2 Applications

Mousse is an Ethereum 2.0 emulator for local testing of Eth2 applications (mainly Rollups). HTTP Server The REST API definition can be found in the ht

Mousse 46 Sep 10, 2022
C++ `std::unique_ptr` that represents each object as an NFT on the Ethereum blockchain

C++ `std::unique_ptr` that represents each object as an NFT on the Ethereum blockchain

null 1.9k Sep 18, 2022
Rust client to Opensea's APIs and Ethereum smart contracts

opensea.rs Rust bindings & CLI to the Opensea API and Contracts CLI Usage Run cargo r -- --help to get the top level help menu: opensea-cli 0.1.0 Choo

Georgios Konstantopoulos 213 Sep 25, 2022
Ethereum Improvement Proposal Validator

EIP validator An engine which ensures Ethereum Improvement Proposals meet certain requirements. Getting Started To install eipv and validate the EIPs

null 4 Dec 6, 2021
Terra Trophies is a copy of Ethereum's POAP project for Terra

Terra Trophies Terra Trophies is a copy of Ethereum's POAP project for Terra. It allows anyone to create digital badges for participants of events, or

larry.{ust,sol,thor} 16 Sep 22, 2022
An Ethereum compatible Substrate blockchain for bounties and governance for the Devcash community.

Substrate Node Template A fresh FRAME-based Substrate node, ready for hacking ?? Getting Started Follow the steps below to get started with the Node T

null 4 Mar 30, 2022
Scans the Ethereum network for USDT ERC-20 token transfer transactions

ethscan This is a Rust command line program for scanning the Ethereum blockchain for USDT transfers within a time span and amount span. prerequisites

Frank Buss 5 Sep 12, 2022
Terabethia - A Bridge and Messaging Protocol between Ethereum and the Internet Computer.

Terabethia - A Bridge Between Ethereum & the Internet Computer Terabethia is a bridge between Ethereum & the Internet Computer that contracts in both

Psychedelic 34 Sep 13, 2022
Emerging smart contract language for the Ethereum blockchain.

Emerging smart contract language for the Ethereum blockchain.

null 1.2k Sep 20, 2022
zkSync: trustless scaling and privacy engine for Ethereum

zkSync: scaling and privacy engine for Ethereum zkSync is a scaling and privacy engine for Ethereum. Its current functionality scope includes low gas

Matter Labs 1.5k Sep 22, 2022
Bellman zkSNARK library for community with Ethereum's BN256 support

bellman "Community edition" Originally developed for ZCash, with extensions from us to make it a little more pleasant. Uses our "community edition" pa

Matter Labs 103 Sep 26, 2022
Foundry is a blazing fast, portable and modular toolkit for Ethereum application development written in Rust.

foundry Foundry is a blazing fast, portable and modular toolkit for Ethereum application development written in Rust. Foundry consists of: Forge: Ethe

Georgios Konstantopoulos 4.3k Sep 24, 2022