The programming languages community, the cryptography community, and others rely on translating programs in high-level source languages (e.g., C) to logical constraint representations. Unfortunately, building compilers for this task is difficult and time consuming. In this work, Alex Ozdemir et al present CirC, an infrastructure for building compilers for SNARKs that build upon a common abstraction: stateless, non-deterministic computations called existentially quantified circuits, or EQCs.
4. Zero-Knowledge: Challenges
• For ZK-proofs, you need a system of arithmetic constraints (R1CS)
1. Need compilers from high level languages to R1CS with
• Small output (efficiency)
• Accurate output (correctness)
Pequin (C)
[SBVBPW’13]
[BFRSBW’13]
[WSRBW’15]
ZoKrates
[EbeTai’18]
Zinc
circom
xJSnark
[KosPapShi’18]
PySNARK (~py)
Leo
Snarky
Cairo
R1CS
5. A (General) Compilation Problem
High-level languages:
• stateful
• control-flow
• uniform
Circuits:
• state-free
• non-uniform
• non-deterministic
𝑥0
𝑥1
𝑥2
𝑤0
𝑤1
Compiler
“circuits” also used in:
• SMT solving/verification
• Optimization (ILP)
• Multiparty computation
6. Our Approach: Common Infrastructure
Common Infrastructure for Compiling to
(Existentially Quantified) Circuits
CirC
ZoKrates
SMT Solver
Proof System
ILP?
MPC?
10. Extensibility Case Study: ZoKrates
ZoKrates: Language designed to be compiled to R1CS (2018).
Compiler Reference
Lines of Code ~28,000
Development Time 3 years
Contributors 36
Output Size good
11. Extensibility Case Study: ZoKrates
ZoKrates: Language designed to be compiled to R1CS (2018).
Compiler Reference CirC
Lines of Code ~28,000 ~700
Development Time 3 years 1 week
Contributors 36 1
Output Size good better
13. What Does a Front-End Look Like?
A frontend is written as an
interpreter…
… with state management
abstracted out!
Automatic:
• Variables (mutation, scope, etc.)
• Data-dependent arrays
• Control Flow
CirC-IR
(SMT-like)
Python
15. Benefits of Common Infrastructure
• Easy extension to new
languages/circuits
• Built a better ZoKrates compiler in
≈ 40 × less code
• common optimizations
• Constant folding
• Memory representation
• Mix & match targets
• Automated zero-knowledge proof-
of-bug
• SMT-assisted optimization of
arithmetic circuits
23. Optimizations: Array Elimination
• Oblivious Arrays
• Arrays accessed at constant
indices
• Replaced with distinct terms
• Like scalar replacement
x = [y,z];
x[0] = x[1]+x[0];
y = x[0];
x01 = y1; x11 = z;
x02 = x01 + x11;
y2 = x02;
24. Optimizations: Routing-Based Memory
• Replace memory operations (array encoded) with the following…
access 0 load addr val
access 1 load addr val
access 2 load addr val
access 3 load addr val
access 4 load addr val
Program Order
access id load addr val
access id load addr val
access id load addr val
access id load addr val
access id load addr val
Address Order
• Check
order
• Check read-
over-write
Waksman
routing network
(existential
switch settings)
[WSRBW’15] [BCTV’14] [BCGTV’13] [BEGKN’94]
26. Backends
SMT (Z3)
• Support for
• Bit-vectors
• Booleans
• Floating-point
• Arrays
• (all but finite fields)
R1CS (Finite Field Equations)
• Support for
• Bit-vectors (that fit in the field)
• Booleans
• Finite Fields
• Some arrays (via memory-
checking)
27. Common Optimization: Constant Folding
• Define a hash 𝐻.
• Assert ∃𝑥. 𝐻 𝑥 0. . 8 = 0
• Vary:
• Length of 𝑥
• Constant folding pass
• Measure
• SMT solver time
• R1CS constraint count
e.g. 5 + 6 → 11
28. Common Optimization: Array Elimination
• Define a program:
• Fills an array with non-
deterministic values
• Computes the sum
• Asserts a non-zero sum
• Vary:
• array size
• array elimination pass
29. Common Optimization: Array Granularity
• Program:
• Represents permutations on
{0,1, . . , 𝑛} with arrays
• Applies a sequence of
permutations (via indexing)
• Vary:
• Permutation size
• % permutations fused into a single
array
Stack
𝐴0
𝐴1
𝐴2
𝐴0
𝐴1
𝐴2
vs.
coarse fine
32. Cross-Over: Proof-of-Bug
1. Compile program & assertion
to IR
2. Lower to SMT
3. Find violation with solver
4. Lower to R1CS
5. Prove knowledge of violation
Openssl’s 𝑐 = 𝑐 + 2𝑎𝑏
(𝑐 in 3 limbs)
33. CirC: Compilation Infrastructure for Circuits
Different circuits can share
compiler infrastructure
Benefits:
• Easy extension
• Shared optimizations
• Cross-over opportunities
Future Directions:
• More languages, more targets
CirC
ZoKrates
SMT Solver
Proof System
ILP?
MPC?
https://ia.cr/2020/1586