Related papers: zkFuzz: Foundation and Framework for Effective Fuzzing of Zero-Knowledge Circuits

zkFuzz: Foundation and Framework for Effective Fuzzing of Zero-Knowledge Circuits

URL: http://arxiv.org/abs/2504.11961v2
Date: Fri, 10 Oct 2025 00:15:49 GMT
Title: zkFuzz: Foundation and Framework for Effective Fuzzing of Zero-Knowledge Circuits
Authors: Hideaki Takahashi, Jihwan Kim, Suman Jana, Junfeng Yang,
Abstract summary: ZK circuits enable privacy-preserving computations and are central to many cryptographic protocols.<n>Existing tools overlook several critical behaviors, such as intermediate computations and program aborts.<n>Our theoretical contribution is the Trace-Constraint Consistency Test (TCCT), a foundational, language-independent formulation of ZK circuit bugs.<n>Our systems contribution is zkFuzz, a novel program mutation-based fuzzing framework for detecting TCCT violations.
Score: 31.293912288211718
License: http://creativecommons.org/licenses/by/4.0/
Abstract: Zero-knowledge (ZK) circuits enable privacy-preserving computations and are central to many cryptographic protocols. Systems like Circom simplify ZK development by combining witness computation and circuit constraints in one program. However, even small errors can compromise security of ZK programs -- under-constrained circuits may accept invalid witnesses, while over-constrained ones may reject valid ones. Static analyzers are often imprecise with high false positives, and formal tools struggle with real-world circuit scale. Additionally, existing tools overlook several critical behaviors, such as intermediate computations and program aborts, and thus miss many vulnerabilities. Our theoretical contribution is the Trace-Constraint Consistency Test (TCCT), a foundational, language-independent formulation of ZK circuit bugs. TCCT provides a unified semantics that subsumes prior definitions and captures both under- and over-constrained vulnerabilities, exposing the full space of ZK bugs that elude prior tools. Our systems contribution is zkFuzz, a novel program mutation-based fuzzing framework for detecting TCCT violations. zkFuzz systematically mutates the computational logic of Zk programs guided by a novel fitness function, and injects carefully crafted inputs using tailored heuristics to expose bugs. We evaluated zkFuzz on 452 real-world ZK circuits written in Circom, a leading programming system for ZK development. zkFuzz successfully identified 85 bugs, including 59 zero-days-39 of which were confirmed by developers and \nfixed fixed, including bugs undetectable by prior works due to their fundamentally limited formulations, earning thousands of bug bounties. Our preliminary research on Noir, another emerging DSL for ZK circuit, also demonstrates the feasibility of zkFuzz to support multiple DSLs.

Related papers

Certified Circuits: Stability Guarantees for Mechanistic Circuits [80.30622018787835]
Certified Circuits provides provable stability guarantees for circuit discovery.<n>On ImageNet and OOD datasets, certified circuits achieve up to 91% higher accuracy.
arXiv Detail & Related papers (2026-02-26T13:07:31Z)
A Physics-Informed Neuro-Fuzzy Framework for Quantum Error Attribution [0.4511923587827302]
We present a neuro-fuzzy framework that addresses the attribution problem by combining Adaptive Neuro-Fuzzy Inference Systems with physics-grounded feature engineering.<n>We introduce the Bhattacharyya Veto, a hard physical constraint grounded in the Data Processing Inequality.<n>This work establishes a robust, interpretable diagnostic layer that prevents error mitigation techniques from being applied to logically flawed circuits.
arXiv Detail & Related papers (2026-02-22T16:19:51Z)
zkCraft: Prompt-Guided LLM as a Zero-Shot Mutation Pattern Oracle for TCCT-Powered ZK Fuzzing [7.274627641804014]
zkCraft is a framework that combines deterministic, R1CS-aware localization with proof-bearing search to detect semantic inconsistencies.<n>We show that proof-bearing localization detects diverse under- and over-constrained faults with low false positives and reduces costly solver interaction.
arXiv Detail & Related papers (2026-01-31T11:31:00Z)
CARE What Fails: Contrastive Anchored-REflection for Verifiable Multimodal [84.71254539482369]
Group-relative reinforcement learning with verifiable rewards (RLVR) often wastes the most informative data it already has the failures.<n>We present CARE, a failure-centric post-training framework for multimodal reasoning that turns errors into supervision.<n> CARE improves accuracy and training smoothness while explicitly increasing the share of learning signal that comes from failures.
arXiv Detail & Related papers (2025-12-22T16:34:21Z)
What Do They Fix? LLM-Aided Categorization of Security Patches for Critical Memory Bugs [46.325755802511026]
We developLM, a dual-method pipeline that integrates two approaches based on a Large Language Model (LLM) and a fine-tuned small language model.<n>LM successfully identified 111 of 5,140 recent Linux kernel patches addressing OOB or UAF vulnerabilities, with 90 true positives confirmed by manual verification.
arXiv Detail & Related papers (2025-09-26T18:06:36Z)
From Evaluation to Enhancement: Large Language Models for Zero-Knowledge Proof Code Generation [8.358179599532592]
Zero-knowledge proofs (ZKPs) are increasingly deployed in domains such as privacy-preserving authentication, blockchain scalability, and secure finance.<n>Unlike mainstream programming, ZK development requires reasoning about finite field arithmetic, constraint systems, and gadgets.<n>We introduce textscZK-Coder, an agentic framework that augments large language models with constraint sketching, guided retrieval, and interactive repair.
arXiv Detail & Related papers (2025-09-15T09:07:52Z)
Detecting the Root Cause Code Lines in Bug-Fixing Commits by Heterogeneous Graph Learning [1.5213722322518697]
Automated defect prediction tools can proactively identify software changes prone to defects within software projects.<n>Existing work in heterogeneous and complex software projects continues to face challenges, such as struggling with heterogeneous commit structures and ignoring cross-line dependencies in code changes.<n>We propose an approach called RC_Detector, which consists of three main components: the bug-fixing graph construction component, the code semantic aggregation component, and the cross-line semantic retention component.
arXiv Detail & Related papers (2025-05-02T05:39:50Z)
Towards Fuzzing Zero-Knowledge Proof Circuits (Short Paper) [1.6822770693792823]
Zero-knowledge proofs (ZKPs) have evolved from a theoretical cryptographic concept into a powerful tool for implementing privacy-preserving and verifiable applications without requiring trust assumptions. We discuss the challenges of applying fuzzing to ZKP circuits, examine the oracle problem and its potential solutions, and propose techniques for input generation and test harness construction. We demonstrate that fuzzing can be effective in this domain by implementing a fuzzer for textttzk-regex, a cornerstone library in modern ZKP applications.
arXiv Detail & Related papers (2025-04-21T06:19:06Z)
Fuzzing-based Mutation Testing of C/C++ CPS [2.362412515574206]
State-of-the-art mutation testing techniques for C and C++ software depend on symbolic execution.<n>We propose relying on fuzz testing, which has demonstrated its effectiveness for C and C++ software.
arXiv Detail & Related papers (2025-03-31T13:55:27Z)
Fundamental thresholds for computational and erasure errors via the coherent information [1.4767596539913115]
We propose a framework based on the coherent information (CI) of the mixed-state density operator associated to noisy QEC codes. We show how to rigorously derive different families of statistical mechanics mappings for generic stabilizer QEC codes in the presence of both types of errors.
arXiv Detail & Related papers (2024-12-21T18:30:30Z)
Demonstrating dynamic surface codes [138.1740645504286]
We experimentally demonstrate three time-dynamic implementations of the surface code.<n>First, we embed the surface code on a hexagonal lattice, reducing the necessary couplings per qubit from four to three.<n>Second, we walk a surface code, swapping the role of data and measure qubits each round, achieving error correction with built-in removal of accumulated non-computational errors.<n>Third, we realize the surface code using iSWAP gates instead of the traditional CNOT, extending the set of viable gates for error correction without additional overhead.
arXiv Detail & Related papers (2024-12-18T21:56:50Z)
Algorithmic Fault Tolerance for Fast Quantum Computing [37.448838730002905]
We show that fault-tolerant logical operations can be performed with constant time overhead for a broad class of quantum codes. We prove that the deviation from the ideal measurement result distribution can be made exponentially small in the code distance. Our work sheds new light on the theory of fault tolerance, potentially reducing the space-time cost of practical fault-tolerant quantum computation by orders of magnitude.
arXiv Detail & Related papers (2024-06-25T15:43:25Z)
AC4: Algebraic Computation Checker for Circuit Constraints in ZKPs [4.810904298160317]
Underconstrained or overconstrained circuits may lead to bugs. A tool, AC4, is proposed to represent the implementation of the method. Within a solvable range, the checking time has also exhibited noticeable improvement.
arXiv Detail & Related papers (2024-03-23T01:44:57Z)
Fault-tolerant quantum architectures based on erasure qubits [49.227671756557946]
We exploit the idea of erasure qubits, relying on an efficient conversion of the dominant noise into erasures at known locations. We propose and optimize QEC schemes based on erasure qubits and the recently-introduced Floquet codes. Our results demonstrate that, despite being slightly more complex, QEC schemes based on erasure qubits can significantly outperform standard approaches.
arXiv Detail & Related papers (2023-12-21T17:40:18Z)
Guess & Sketch: Language Model Guided Transpilation [59.02147255276078]
Learned transpilation offers an alternative to manual re-writing and engineering efforts. Probabilistic neural language models (LMs) produce plausible outputs for every input, but do so at the cost of guaranteed correctness. Guess & Sketch extracts alignment and confidence information from features of the LM then passes it to a symbolic solver to resolve semantic equivalence.
arXiv Detail & Related papers (2023-09-25T15:42:18Z)
Overcoming leakage in scalable quantum error correction [128.39402546769284]
Leakage of quantum information out of computational states into higher energy states represents a major challenge in the pursuit of quantum error correction (QEC) Here, we demonstrate the execution of a distance-3 surface code and distance-21 bit-flip code on a Sycamore quantum processor where leakage is removed from all qubits in each cycle. We report a ten-fold reduction in steady-state leakage population on the data qubits encoding the logical state and an average leakage population of less than $1 times 10-3$ throughout the entire device.
arXiv Detail & Related papers (2022-11-09T07:54:35Z)
Software mitigation of coherent two-qubit gate errors [55.878249096379804]
Two-qubit gates are important components of quantum computing. But unwanted interactions between qubits (so-called parasitic gates) can degrade the performance of quantum applications. We present two software methods to mitigate parasitic two-qubit gate errors.
arXiv Detail & Related papers (2021-11-08T17:37:27Z)
Fault-tolerant parity readout on a shuttling-based trapped-ion quantum computer [64.47265213752996]
We experimentally demonstrate a fault-tolerant weight-4 parity check measurement scheme. We achieve a flag-conditioned parity measurement single-shot fidelity of 93.2(2)%. The scheme is an essential building block in a broad class of stabilizer quantum error correction protocols.
arXiv Detail & Related papers (2021-07-13T20:08:04Z)

This list is automatically generated from the titles and abstracts of the papers in this site.