zkFuzz: Foundation and Framework for Effective Fuzzing of Zero-Knowledge Circuits
- URL: http://arxiv.org/abs/2504.11961v1
- Date: Wed, 16 Apr 2025 10:43:48 GMT
- Title: zkFuzz: Foundation and Framework for Effective Fuzzing of Zero-Knowledge Circuits
- Authors: Hideaki Takahashi, Jihwan Kim, Suman Jana, Junfeng Yang,
- Abstract summary: ZK circuits enable privacy-preserving computations and are central to many cryptographic protocols.<n>Existing tools overlook several critical behaviors, such as intermediate computations and program aborts.<n>We present zkFuzz, a novel program mutation-based fuzzing framework for detecting TCCT violations.
- Score: 24.179342690266523
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: Zero-knowledge (ZK) circuits enable privacy-preserving computations and are central to many cryptographic protocols. Systems like Circom simplify ZK development by combining witness computation and circuit constraints in one program. However, even small errors can compromise security of ZK programs --under-constrained circuits may accept invalid witnesses, while over-constrained ones may reject valid ones. Static analyzers are often imprecise with high false positives, and formal tools struggle with real-world circuit scale. Additionally, existing tools overlook several critical behaviors, such as intermediate computations and program aborts, and thus miss many vulnerabilities. Our theoretical contribution is the Trace-Constraint Consistency Test (TCCT), a foundational language-independent formulation of ZK circuit bugs that defines bugs as discrepancies between the execution traces of the computation and the circuit constraints. TCCT captures both intermediate computations and program aborts, detecting bugs that elude prior tools. Our systems contribution is zkFuzz, a novel program mutation-based fuzzing framework for detecting TCCT violations. zkFuzz systematically mutates the computational logic of Zk programs guided by a novel fitness function, and injects carefully crafted inputs using tailored heuristics to expose bugs. We evaluated zkFuzz on 354 real-world ZK circuits written in Circom, a leading programming system for ZK development. zkFuzz successfully identified 66 bugs, including 38 zero-days --18 of which were confirmed by developers and 6 fixed, earning bug bounties.
Related papers
- Towards Fuzzing Zero-Knowledge Proof Circuits (Short Paper) [1.6822770693792823]
Zero-knowledge proofs (ZKPs) have evolved from a theoretical cryptographic concept into a powerful tool for implementing privacy-preserving and verifiable applications without requiring trust assumptions.
We discuss the challenges of applying fuzzing to ZKP circuits, examine the oracle problem and its potential solutions, and propose techniques for input generation and test harness construction.
We demonstrate that fuzzing can be effective in this domain by implementing a fuzzer for textttzk-regex, a cornerstone library in modern ZKP applications.
arXiv Detail & Related papers (2025-04-21T06:19:06Z) - Fuzzing-based Mutation Testing of C/C++ CPS [2.362412515574206]
State-of-the-art mutation testing techniques for C and C++ software depend on symbolic execution.<n>We propose relying on fuzz testing, which has demonstrated its effectiveness for C and C++ software.
arXiv Detail & Related papers (2025-03-31T13:55:27Z) - Fundamental thresholds for computational and erasure errors via the coherent information [1.4767596539913115]
We propose a framework based on the coherent information (CI) of the mixed-state density operator associated to noisy QEC codes.
We show how to rigorously derive different families of statistical mechanics mappings for generic stabilizer QEC codes in the presence of both types of errors.
arXiv Detail & Related papers (2024-12-21T18:30:30Z) - Demonstrating dynamic surface codes [138.1740645504286]
We experimentally demonstrate three time-dynamic implementations of the surface code.<n>First, we embed the surface code on a hexagonal lattice, reducing the necessary couplings per qubit from four to three.<n>Second, we walk a surface code, swapping the role of data and measure qubits each round, achieving error correction with built-in removal of accumulated non-computational errors.<n>Third, we realize the surface code using iSWAP gates instead of the traditional CNOT, extending the set of viable gates for error correction without additional overhead.
arXiv Detail & Related papers (2024-12-18T21:56:50Z) - Algorithmic Fault Tolerance for Fast Quantum Computing [37.448838730002905]
We show that fault-tolerant logical operations can be performed with constant time overhead for a broad class of quantum codes.
We prove that the deviation from the ideal measurement result distribution can be made exponentially small in the code distance.
Our work sheds new light on the theory of fault tolerance, potentially reducing the space-time cost of practical fault-tolerant quantum computation by orders of magnitude.
arXiv Detail & Related papers (2024-06-25T15:43:25Z) - AC4: Algebraic Computation Checker for Circuit Constraints in ZKPs [4.810904298160317]
Underconstrained or overconstrained circuits may lead to bugs.
A tool, AC4, is proposed to represent the implementation of the method.
Within a solvable range, the checking time has also exhibited noticeable improvement.
arXiv Detail & Related papers (2024-03-23T01:44:57Z) - Fault-tolerant quantum architectures based on erasure qubits [49.227671756557946]
We exploit the idea of erasure qubits, relying on an efficient conversion of the dominant noise into erasures at known locations.
We propose and optimize QEC schemes based on erasure qubits and the recently-introduced Floquet codes.
Our results demonstrate that, despite being slightly more complex, QEC schemes based on erasure qubits can significantly outperform standard approaches.
arXiv Detail & Related papers (2023-12-21T17:40:18Z) - Guess & Sketch: Language Model Guided Transpilation [59.02147255276078]
Learned transpilation offers an alternative to manual re-writing and engineering efforts.
Probabilistic neural language models (LMs) produce plausible outputs for every input, but do so at the cost of guaranteed correctness.
Guess & Sketch extracts alignment and confidence information from features of the LM then passes it to a symbolic solver to resolve semantic equivalence.
arXiv Detail & Related papers (2023-09-25T15:42:18Z) - Overcoming leakage in scalable quantum error correction [128.39402546769284]
Leakage of quantum information out of computational states into higher energy states represents a major challenge in the pursuit of quantum error correction (QEC)
Here, we demonstrate the execution of a distance-3 surface code and distance-21 bit-flip code on a Sycamore quantum processor where leakage is removed from all qubits in each cycle.
We report a ten-fold reduction in steady-state leakage population on the data qubits encoding the logical state and an average leakage population of less than $1 times 10-3$ throughout the entire device.
arXiv Detail & Related papers (2022-11-09T07:54:35Z) - Software mitigation of coherent two-qubit gate errors [55.878249096379804]
Two-qubit gates are important components of quantum computing.
But unwanted interactions between qubits (so-called parasitic gates) can degrade the performance of quantum applications.
We present two software methods to mitigate parasitic two-qubit gate errors.
arXiv Detail & Related papers (2021-11-08T17:37:27Z) - Fault-tolerant parity readout on a shuttling-based trapped-ion quantum
computer [64.47265213752996]
We experimentally demonstrate a fault-tolerant weight-4 parity check measurement scheme.
We achieve a flag-conditioned parity measurement single-shot fidelity of 93.2(2)%.
The scheme is an essential building block in a broad class of stabilizer quantum error correction protocols.
arXiv Detail & Related papers (2021-07-13T20:08:04Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.