20 releases (6 breaking)
|0.19.1||Nov 9, 2023|
|0.19.0||Oct 31, 2023|
|0.16.1||Jul 13, 2023|
|0.14.0||Mar 29, 2023|
#31 in Caching
4,253 downloads per month
Used in 11 crates (3 directly)
WARNING: This software is still experimental, we do not recommend it for production use (see Security section).
A zero knowledge proof allows one party (the prover) to convince another party (the verifier) that something is true without revealing all the details. In the case of RISC Zero, the prover can show they correctly executed some code (known to both parties), while only revealing to the verifier the output of the code, not any of its inputs or any state during execution.
The code runs in a special virtual machine, called a zkVM. The RISC Zero zkVM emulates a small RISC-V computer, allowing it to run arbitrary code in any language, so long as a compiler toolchain exists that targets RISC-V. Currently, SDK support exists for Rust, C, and C++.
Protocol overview and terminology
First, the code to be proven must be compiled from its implementation language into a method. A method is represented by a RISC-V ELF file with a special entry point that runs the code of the method. Additionally, one can compute for a given method its image ID which is a special type of cryptographic hash of the ELF file, and is required for verification.
Next, the host program runs and proves the method inside the zkVM. The logical RISC-V machine running inside the zkVM is called the guest and the prover running the zkVM is called the host. The guest and the host can communicate with each other during the execution of the method, but the host cannot modify the execution of the guest in any way, or the proof being generated will be invalid. During execution, the guest code can write to a special append-only log called the journal that represents the official output of the computation.
Presuming the method terminated correctly, a receipt is produced, which provides the proof of correct execution. This receipt consists of 2 parts: the journal written during execution and a blob of opaque cryptographic data called the seal.
The verifier can then verify the receipt and examine the log. If any tampering was done to the journal or the seal, the receipt will fail to verify. Additionally, it is cryptographically infeasible to generate a valid receipt unless the output of the journal is the exactly correct output for some valid execution of the method whose image ID matches the receipt. In summary, the receipt acts as a zero knowledge proof of correct execution.
Because the protocol is zero knowledge, the verifier cannot infer anything about the details of the execution or any data passed between the host and the guest (aside from what is implied by the data written to the journal and the correct execution of the code).
This code is based on the well studied zk-STARK protocol, which has been proven secure under the random oracle model, with the only assumption being the security of the cryptographic hash used. Our implementation uses SHA-256 for that hash and targets 100 bits of security.
That said, this code is still under heavy development and has not been audited. There may be bugs in the zk-STARK implementation, the arithmetic circuit used to instantiate the RISC-V zkVM, or any other element of the code's implementation. Such bugs may impact the security of receipts, leak information, or cause any other manner of problems. Caveat emptor.
To start your own project, you can use our
cargo risczero tool to write the
initial boilerplate and set up a standard directory structure.
First, install Rust if you don't already have it, then install the
cargo risczero tool.
cargo binstall to get
cargo-risczero installed. See cargo-binstall for more details.
cargo install cargo-binstall cargo binstall cargo-risczero
Next we'll need to install the
risc0 toolchain with:
cargo risczero install
Then, create a new project (named
my_project in this example):
cargo risczero new my_project
More details and options for
cargo risczero are given in
For more guidance on how to use RISC Zero, how RISC Zero projects are typically structured, and other resources useful to developers new to RISC Zero, see our Getting Started page.
The following feature flags are present in one or more of the crates listed above:
|client||all except rv32im||std||Enables the client API.||risc0-zkvm|
|cuda||prove, std||Turns on CUDA GPU acceleration for the prover. Requires CUDA toolkit to be installed.||risc0-circuit-recursion, risc0-circuit-rv32im, risc0-zkp, risc0-zkvm|
|disable-dev-mode||all except rv32im||Disables dev mode so that proving and verifying may not be faked. Used to prevent a misplaced
|metal||macos||prove, std||Turns on Metal GPU acceleration for the prover.||risc0-circuit-recursion, risc0-circuit-rv32im, risc0-zkp, risc0-zkvm|
|profiler||all except rv32im||Counts cycles during guest execution as an aid to code optimization.||risc0-zkvm|
|prove||all except rv32im||std||Enables the prover, incompatible within the zkvm guest.||risc0-circuit-recursion, risc0-circuit-rv32im, risc0-zkp, risc0-zkvm|
|std||all||Support for the Rust stdlib.||risc0-circuit-recursion, risc0-circuit-rv32im, risc0-zkp, risc0-zkvm|
This project is licensed under the Apache2 license. See LICENSE.