A toolbox for zkSNARKs on Ethereum

Last update: May 25, 2022


Join the chat at https://gitter.im/ZoKrates/Lobby CircleCI develop

ZoKrates is a toolbox for zkSNARKs on Ethereum.

This is a proof-of-concept implementation. It has not been tested for production.

Getting Started

Load the ZoKrates Plugin on Remix to write your first SNARK program!

Alternatively, you can install the ZoKrates CLI:

curl -LSfs get.zokrat.es | sh

Have a look at the documentation for more information about using ZoKrates. Get started, then try a tutorial!

Getting Help

If you run into problems, ZoKrates has a Gitter room.


ZoKrates is released under the GNU Lesser General Public License v3.


We happily welcome contributions. You can either pick an existing issue or reach out on Gitter.

Unless you explicitly state otherwise, any contribution you intentionally submit for inclusion in the work shall be licensed as above, without any additional terms or conditions.

Git Hooks

You can enable zokrates git hooks locally by running:

git config core.hooksPath .githooks


  • 1. testing proof with web3js

    I have been playing with ZoKrates for a few days but I can't achieve a verification process with a true statement. It is alway FALSE I tried to follow the tutorial of the readme but I encountered some difficulties: the verification always returns "false". I mean, of course, I should use the toolbox with a wrong way

    This is the basic code I want to test:

    def main(x,private s1,private s2):
        s1 + s2 + x == 15
        return 1

    Then when I generate proof I have this output:

    Generating proof...
    Using Witness: {"~one": 1, "x": 5, "~out_0": 1, "s2": 5, "s1": 5}
    Public inputs: [1, 5, 1]
    Private inputs: [5, 5]
    * Elements of w skipped: 0 (-nan%)
    * Elements of w processed with special addition: 0 (-nan%)
    * Elements of w remaining: 0 (-nan%)
    * Elements of w skipped: 0 (-nan%)
    * Elements of w processed with special addition: 0 (-nan%)
    * Elements of w remaining: 0 (-nan%)
    * Elements of w skipped: 0 (0.00%)
    * Elements of w processed with special addition: 1 (25.00%)
    * Elements of w remaining: 3 (75.00%)
    * Elements of w skipped: 0 (0.00%)
    * Elements of w processed with special addition: 1 (25.00%)
    * Elements of w remaining: 3 (75.00%)
    * G1 elements in proof: 7
    * G2 elements in proof: 1
    * Proof size in bits: 2294
    A = 0x17ae0464d4c0d1937fee027b520ca9ec7ee4f2abf70b52a75c636d6735005392, 0x281134f906ab1cb3011cb6207a1f9ef5398045af52c3eff8e9db9f50c8cf3828
    A_p = 0x1ac693cdd14a1206f930729a929b3b39721f838446061af6311c4ed30c428426, 0x2712e90c78ec9e0e5ccf3356e23855484c4073bb274194635b612b63f4ac8be3
    B = [0x883a4f310a3966a5cb139b59288c78aa8a8a9a8b4bf48792420d5184f8fb8b5, 0x201d60787fd856c24e7b45dab7cb41a79ff348153683dbf82b5d77d14e168ae5], [0x1d9ccf0e5d091b85a795d74abc13625e531cb65115589b999c9c0e05b7310920, 0x21a3beba1014556c091197668c9380cc37e420b4232fa5c35a175ee00bfe92f4]
    B_p = 0x1d0c580e2431894c97e6bee5de2e396477beabebeb4606c21d241328d0ca139d, 0x2add4d48ef20738cf6540cc530bf80948bd6cb8b180cf4a3ec412e0dc58fe3de
    C = 0x20ba1cacf4ebbc3c1c29d11946b1c38151cb44d0803d628fa69e1ae8e930e7c7, 0x1dc6686abe23aa65b1653fab516386b86d7deae2ac817cf7fb3d89ad4d1da8ca
    C_p = 0xb292b7ab8b91c84eb61338fa9837465d94e3e82c1e029c55b4d754161242b13, 0x15f60d3a7192a31f6da6804e960cbd13198a710f14c4860fd5ea1453eb2cf131
    H = 0x2621bd887a4e502ae5d9660a56702be8a7567bee0507d8af711be5fca888ff88, 0x2e905b72b811929ea2475d8c0df0a5815e329aebe787a37cf62a60ba4dad0c5c
    K = 0xf1bd7f2d6fe7efcb5480bd8743c359153dc73153039f0c76c90b62431ca1ac2, 0x151b78bf375d6d20a2f242e70db41d25183a594632e553f97d27570d15551ff
    generate-proof successful: true

    (I used as value for x = 5, s1 = 5, s2 = 5 )

    Here I am confused, the length of public inputs is 3 but in my verifier.sol generated the array expected in verifyTx is of length 2 ...

    Then, I deploy verifier.sol & SumsToFifteen.sol (please find them attached), and I try to test the result of my proof with the web3js script verifier.js (but it is always false):

    proof: 0
    success: false

    Please, could you help me to find a way to make all this stuff working?

    Thank's in advance


    • in verifier.js I try all kind of mix for I (I=[1, 5 ,1], I=[1, 5], I=[5,1], ...)


      referenced obviously to the contract address of the SumsToFifteen.sol

    • I've also tried to change the length of the input both files SumToFifteen.sol and verify.sol to 2 without any success

    verifier.js verifier.sol SumsToFifteen.sol

    Reviewed by ariary at 2018-04-04 14:50
  • 2. MiMCSponge and MiMC7 implementation for stdlib


    This implements the MiMCSponge hashing into the stdlib. The reference implementation this is based on, can be found here. For testing I've created a quick repo that runs the reference implementation with circom, can be found here.


    I'm a bit unsure what the input and output configurations should be set to. Currently, like in the reference, two inputs and three outputs, with 220 feistel rounds are configured, but I'm not sure what the proper settings should be, so it's up for discussion.


    Using this, with the configuration stated above, 2647 constraints are created


    Adds mimc7 hashing algo to the stdlib. The reference implementation this is based on can be found here

    Things to note:

    • The reference implementation is slightly more efficient (regarding constraints). Because ZoKrates doesn't support lazy evaluation, the t7 array has to be one element longer and a separate index counter has to be defined in the loop to prevent an out of bounds error. It's not the prettiest solution, but it was the most efficient solution I could come up with.
    • Implementation was tested with comparing hashes to the reference implementation, which were always the same, also with overflows, passing p and other edge cases.
    • The number of rounds can be set up to 91. I wasn't sure how many rounds are optimal, so I created a number of them.

    Constraints for hashing:

    • mimc7R10: 42
    • mimc7R20: 82
    • mimc7R50: 202
    • mimc7R90: 362
    Reviewed by petscheit at 2020-04-10 16:21
  • 3. associativity of subtraction of field values with function calls is wrong

    This is best demonstrated by a test case:

    def x() -> (field):
      return 3
    def main() -> (field):
      // These all work
      7 == 10 - x()
      8 == 10 + 1 - x()
      8 == 10 - 3 + 1
      8 == (10 - 3) + 1
      8 == (10 - x()) + 1
      8 == 10 - (x() - 1)
      // These are wrong
      8 == 10 - x() + 1
      6 == 10 - x() - 1
      return 1

    All of these assertions should pass; however the final two fail:

    setup successful: true
    Computing witness for:
    def main():
            7 == 7
            8 == 8
            8 == 8
            8 == 8
            8 == 8
            8 == 8
            8 == 6
            6 == 8
            return 1
    thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: Error { message: "Condition not satisfied: 8 should equal 6" }', libcore/result.rs:945:5
    note: Run with `RUST_BACKTRACE=1` for a backtrace.

    It seems that 10 - x() + 1 is interpreted as 10 - (x() + 1) rather than (10 - x()) + 1. I guess it's a problem with the way associativity is handled in combination with subtraction. Taking a wild guess, maybe it's an issue with flatten_field_expression()? But I never looked at Zokrates before this weekend, and only looked at the implementation for 30 minutes or so, so take that guess with a large pinch of salt ;-)

    This bug was found in partnership with @GuthL, so thanks to him for being a great partner in crime :-)

    Reviewed by aspiers at 2018-11-19 11:10
  • 4. Unable to use the exported smart contract

    I am using truffle to export the generated smart contract for factorization.code. Versions

    Truffle v4.1.5 (core: 4.1.5)
    Solidity v0.4.21 (solc-js)

    I am able to compile (with warning though but are addressed here https://github.com/JacobEberhardt/ZoKrates/pull/49) and deploy the contract but when i try to test it, i get error

    (function (exports, require, module, __filename, __dirname) { pragma solidity ^0.4.14;

    The test is here and the contract is here

    Also i don't understand which contracts are being called at https://github.com/lovesh/ZoKrates/blob/develop/src/verification.rs#L49, https://github.com/lovesh/ZoKrates/blob/develop/src/verification.rs#L64 and https://github.com/lovesh/ZoKrates/blob/develop/src/verification.rs#L91

    As i understand, the second argument to call is supposed to be contract address, but they don't seem like contract address, are they? If yes, then can you please point me to those contracts or relevant sections of solidity documentation. Thanks

    Reviewed by lovesh at 2018-04-13 22:21
  • 5. Output IR in smtlib2

    Just checking whether this is wanted in the project, I'm using it locally anyway.

    In case it is, this PR is still missing

    • [x] Conjunction on the function level
    • [x] Header including variable declaration
    • [x] Tests
    Reviewed by leonardoalt at 2021-06-10 15:23
  • 6. ztf file is not generated when light flag is used

    I think *.ztf files should be always generated, but the light flag should be a way to disable logging bigger programs to the console (so the output is less verbose).

    Current implementation skips the generation of the *.ztf file when light flag is used. Other solution would be to introduce a new flag verbose for the logging but keep the light flag as is.

    Reviewed by dark64 at 2021-02-18 18:15
  • 7. Rename Source Code File Ending .code -> .zok

    The .code file extension is generic and users asked for a change. I propose to change the file ending to .zok

    Before that, we should remove file extensions from import statements.

    Reviewed by JacobEberhardt at 2019-06-19 13:12
  • 8. Updates ABI Encoder #201

    Updates the ABIEncoder to v2, which enables us to pass structs as parameters to functions. Simplifies the Verifier.sol a bit and is also needed for application tests (takes a lot of complexity out of the testing script because I can simply pass the proof object from the proof.json instead of parsing every value separately when calling verifyTx)

    Reviewed by petscheit at 2019-05-29 14:12
  • 9. [Runtime Crash] Symbol splitting not working correctly in subroutines

    Assume the following sample code I want to create a witness for (I stripped off meaningful things for simplicity):

    def sub():
      foo = if 1 < 2 then 1 else 2 fi
      return 1
    def main():
       return sub()

    It compiles fine. However computing a witness leads to the following error:

    thread 'main' panicked at 'no entry found for key', libcore/option.rs:917:5
    note: Run with `RUST_BACKTRACE=1` for a backtrace.

    In particular I believe that this line causes the crash. Printing var_name and inputs, I can see that:

    Inputs: {"sub_i0o1_1_sym_0": 1, "sub_i0o1_1_sym_1": 2, "sub_i0o1_1_sym_2": 21888242871839275222246405745257275088548364400416034343698204186575808495615, "~one": 1}
    Variable name: "sym_2"

    sym_2 does not exist and we therefore crash. I assume that either sub_i0o1_1_sym_2 in inputs should be sym_2 (without the subroutine prefix) or sym_2 should be prefixed accordingly.

    Reviewed by fleupold at 2018-07-31 13:39
  • 10. Add sha256 from libsnark

    This PR adds sha256 witness generation, constraint generation directly from libsnark. Thanks to @kobigurk for help with this.

    It also includes wraplibsnark.cpp upgrade to support the latest version of libsnark.

    This brakes ZoKrates as exportInput , _setup and _generate_proof functions were replaced with place holders as i could not see easily how to port this code.

    The build process is changed slightly so remember to run git submodule update --init --recursive before cargo +nightly build

    This change breaks the docker setup.

    The thinking is that @JacobEberhardt will take over from here and use the _sha256Constraints and _sha256Witness functions i provide to integrate sha256 in ZoKrates at a cost of ~27k constraints. Which is much better than our native implementation ~500k constraints. Which will hopefully make merkle trees practical in ZoKrates.

    Reviewed by barryWhiteHat at 2018-04-27 16:10
  • 11. Make private inputs explicit


    The way private inputs are treated is different from public ones:

    • Private inputs are implicit, public inputs are explicit:
    def main(c):
      c == a * b
      return 1
    • Public inputs are passed as arguments in compute-witness, while private inputs are passed interactively
    • It makes it hard to use compute-witness programatically
    • It gives no way to list private inputs without solving the R1CS


    We think they should be explicit:

    def main(c | a,b):
      c == a * b
      return 1


    1. Make it possible to pass private inputs as arguments in compute-witness rather than interactively (the interactive mode should be activated by a flag)
    2. Make it possible to specify explicit private inputs in .code files
    3. Ban implicit private inputs from .code files

    Thoughts welcome :)

    Reviewed by Schaeff at 2017-11-20 17:40
  • 12. Add curve and scheme to vk and proof

    Add two fields to the serialized proof and serialized verification key:

    • curve: a string with the name of the curve used. Ex: "bn128"
    • scheme: a string with the name of the proving scheme used. Ex: "g16"

    Adjust deserialization to look at these fields first to then build the correct generic structs. This change is backward-compatible as the new formats are an extension of the old ones.

    Reviewed by Schaeff at 2022-05-18 11:00
  • 13. Split project into crates

    The zokrates_core crate is big and has some spaghetti code, as well as all of the backend code.

    Split off

    • backend implementations zokrates_{ark, libsnark, bellman}
    • proof systems zokrates_proof_systems
    • interpreter zokrates_interpreter
    • data structures zokrates_ast
    • actual compiler stuff zokrates_core
    Reviewed by Schaeff at 2022-05-13 10:37
  • 14. zokrates-js 1.0.43 drops support of bellman as the backend?


    I've found that zokrates-js 1.0.43 does not use bellman as the backend, it uses Ark now. Versions prior to this one, were using bellman. So any particular reasons to drop the support of bellman? What should we do if we want to use zokrates-js with bellman in the future versions.

    We encountered a problem to deserialize the proving key with zokrates-js 1.0.43, I think it should be caused by the change of backend, because our proving key was generated with backend=bellman. Let me know if I misunderstood it.


    Reviewed by mystiko0x1 at 2022-05-09 11:45
  • 15. wrong SHA 256 values being used with Zokrates ?


    I have been following the tutorial given by AwesomeHuang here

    I am using Remix IDE on Firefox

    I modified the provided code to make sure it fits syntax of the latest version of Zokrates

    However, the problem seems to be the the SHA-256 Hashes being used in the program

    I have been trying to use their given code and then adapt it to my own use case. However, while trying to test out their code, i noticed that the SHA-256 hashes they are using;

    zokrates compute-witness -a 50 1000 242738482787324818092317501628658271637 853498718274837825789312739748392789743 438758372489912996993285694393204086976

    the hashes for the values of 50 and 100 are given as

    242738482787324818092317501628658271637 and



    However, when i try to hash these numbers, i cannot get this hash. So it is the mystery on how they are getting these hash values and using them in Zokrates

    Can you please clarify this


    • Compiler version: 0.7.13
    • Operating system: Ubuntu 20.04
    Reviewed by SyedMuhamadYasir at 2022-05-09 11:05
  • 16. Fix zokrates-js compatiblity and recent issues


    We can improve zokrates-js compatibility by:

    • Removing the imports of *.json files (still experimental in some cases, in others the json-loader is needed). Using regular js files would be a better solution.
    • Mention in docs that experiments.asyncWebAssembly in webpack should be enabled.

    Recent issues:

    • pkg folder is not being pushed to npm making the package unusable/broken.
    Reviewed by dark64 at 2022-05-09 08:55
  • 17. "Unknown version" running mpc verification step with docker


    When running the mpc verify step with docker, I expected to see the verification running. Instead, when running with the latest tag, I get the error "Unknown version". It works fine if I choose an older tag for the docker image ex. zokrates/zokrates:0.7.11

    Steps to Reproduce

    After running the rest of the MPC steps:

    docker run zokrates/zokrates zokrates mpc verify -i params/param -c circuits/circuit -r radix/radix
    Reviewed by signorecello at 2022-05-03 21:59
An experimental rust zksnarks compiler with embeeded bellman-bn128 prover

Za! An experimental port of the circom zk-SNARK compiler in Rust with embedded bellman-bn128 prover. I created it as a PoC port of the existing JavaSc

Apr 4, 2022
Custom Ethereum vanity address generator made in Rust
Custom Ethereum vanity address generator made in Rust

ethaddrgen Custom Ethereum address generator Get a shiny ethereum address and stand out from the crowd! Disclaimer: Do not use the private key shown i

May 6, 2022
Rust Ethereum 2.0 Client
Rust Ethereum 2.0 Client

Lighthouse: Ethereum 2.0 An open-source Ethereum 2.0 client, written in Rust and maintained by Sigma Prime. Documentation Overview Lighthouse is: Read

May 20, 2022
Parity-Bridge — Bridge between any two ethereum-based networks

Deprecated Bridges This repo is deprecated. Originally it contained the ETH <> ETH-PoA bridge (see tumski tag). Later it was repurposed for ETH-PoA <>

May 16, 2022
The fast, light, and robust client for the Ethereum mainnet.

OpenEthereum Fast and feature-rich multi-network Ethereum client. » Download the latest release « Table of Contents Description Technical Overview Bui

May 23, 2022
An Ethereum 2.0 Emulator for Local Testing of Eth2 Applications
An Ethereum 2.0 Emulator for Local Testing of Eth2 Applications

Mousse is an Ethereum 2.0 emulator for local testing of Eth2 applications (mainly Rollups). HTTP Server The REST API definition can be found in the ht

Jan 4, 2022
C++ `std::unique_ptr` that represents each object as an NFT on the Ethereum blockchain
C++ `std::unique_ptr` that represents each object as an NFT on the Ethereum blockchain

C++ `std::unique_ptr` that represents each object as an NFT on the Ethereum blockchain

May 25, 2022
Rust client to Opensea's APIs and Ethereum smart contracts

opensea.rs Rust bindings & CLI to the Opensea API and Contracts CLI Usage Run cargo r -- --help to get the top level help menu: opensea-cli 0.1.0 Choo

May 25, 2022
Ethereum Improvement Proposal Validator

EIP validator An engine which ensures Ethereum Improvement Proposals meet certain requirements. Getting Started To install eipv and validate the EIPs

Dec 6, 2021
Terra Trophies is a copy of Ethereum's POAP project for Terra

Terra Trophies Terra Trophies is a copy of Ethereum's POAP project for Terra. It allows anyone to create digital badges for participants of events, or

Apr 11, 2022
An Ethereum compatible Substrate blockchain for bounties and governance for the Devcash community.

Substrate Node Template A fresh FRAME-based Substrate node, ready for hacking ?? Getting Started Follow the steps below to get started with the Node T

Mar 30, 2022
Scans the Ethereum network for USDT ERC-20 token transfer transactions

ethscan This is a Rust command line program for scanning the Ethereum blockchain for USDT transfers within a time span and amount span. prerequisites

Dec 2, 2021
Terabethia - A Bridge and Messaging Protocol between Ethereum and the Internet Computer.
Terabethia - A Bridge and Messaging Protocol between Ethereum and the Internet Computer.

Terabethia - A Bridge Between Ethereum & the Internet Computer Terabethia is a bridge between Ethereum & the Internet Computer that contracts in both

Apr 30, 2022
Emerging smart contract language for the Ethereum blockchain.

Emerging smart contract language for the Ethereum blockchain.

May 18, 2022
zkSync: trustless scaling and privacy engine for Ethereum

zkSync: scaling and privacy engine for Ethereum zkSync is a scaling and privacy engine for Ethereum. Its current functionality scope includes low gas

May 25, 2022
Bellman zkSNARK library for community with Ethereum's BN256 support

bellman "Community edition" Originally developed for ZCash, with extensions from us to make it a little more pleasant. Uses our "community edition" pa

May 25, 2022
Foundry is a blazing fast, portable and modular toolkit for Ethereum application development written in Rust.

foundry Foundry is a blazing fast, portable and modular toolkit for Ethereum application development written in Rust. Foundry consists of: Forge: Ethe

May 24, 2022
Vanitygen-bip39 - Generate vanity / gas efficient Ethereum addresses for your hdwallet (bip39 12 or 24 words)
Vanitygen-bip39 - Generate vanity / gas efficient Ethereum addresses for your hdwallet (bip39 12 or 24 words)

vanitygen-bip39 Generate Ethereum gas efficient addresses with leading zeros https://medium.com/coinmonks/on-efficient-ethereum-addresses-3fef0596e263

Mar 21, 2022
A library to help you sew up your Ethereum project with Rust and just like develop in a common backend

SewUp Secondstate EWasm Utility Program, a library helps you sew up your Ethereum project with Rust and just like development in a common backend. The

May 24, 2022