#zero-knowledge-proofs #risc #proof #verify #risc-v #system

sys risc0-zkp-verify

RISC Zero zero-knowledge proof system verify crate

4 releases (breaking)

0.6.0 May 16, 2022
0.4.0 May 15, 2022
0.2.0 May 15, 2022
0.1.0 Apr 26, 2022

#2435 in Cryptography

Used in 3 crates (via risc0-zkp-prove)



Rust 1.5K SLoC // 0.2% comments C++ 311 SLoC // 0.3% comments Bazel 77 SLoC


Crates.io MIT licensed Build Status Discord chat Twitter

WARNING: This software is still experimental, we do not recommend it for production use (see Security section).

RISC Zero is a zero-knowledge verifiable general computing platform based on zk-STARKs and the RISC-V microarchitecture.

A zero knowledge proof allows one party (the prover) to convince another party (the verifier) that something is true without revealing all the details. In the case of RISC Zero, the prover can show they correctly executed some code (known to both parties), while only revealing to the verifier the output of the code, not any of its inputs or any state during execution.

The code runs in a special virtual machine, called a zkVM. The RISC Zero zkVM emulates a small RISC-V computer, allowing it to run arbitrary code in any language, so long as a compiler toolchain exists that targets RISC-V. Currently, SDK support exists for Rust, C, and C++.

Protocol overview and terminology

First, the code to be proven must be compiled from its implementation language into a method. A method is represented by a RISC-V ELF file with a special entry point that runs the code of the method. Additionally, one can compute for a given method its image ID which is a special type of cryptographic hash of the ELF file, and is required for verification.

Next, the host program runs and proves the method inside the zkVM. The logical RISC-V machine running inside the zkVM is called the guest and the prover running the zkVM is called the host. The guest and the host can communicate with each other during the execution of the method, but the host cannot modify the execution of the guest in any way, or the proof being generated will be invalid. During execution, the guest code can write to a special append-only log called the journal that represents the official output of the computation.

Presuming the method terminated correctly, a receipt is produced, which provides the proof of correct execution. This receipt consists of 2 parts: the journal written during execution and a blob of opaque cryptographic data called the seal.

The verifier can then verify the receipt and examine the log. If any tampering was done to the journal or the seal, the receipt will fail to verify. Additionally, it is cryptographically infeasible to generate a valid receipt unless the output of the journal is the exactly correct output for some valid execution of the method whose image ID matches the receipt. In summary, the receipt acts as a zero knowledge proof of correct execution.

Because the protocol is zero knowledge, the verifier cannot infer anything about the details of the execution or any data passed between the host and the guest (aside from what is implied by the data written to the journal and the correct execution of the code).


This code is based on the well studied zk-STARK protocol, which has been proven secure under the random oracle model, with the only assumption being the security of the cryptographic hash used. Our implementation uses SHA-256 for that hash and targets 100 bits of security.

That said, this code is still under heavy development and has not been audited. There may be bugs in the zk-STARK implementation, the arithmetic circuit used to instantiate the RISC-V zkVM, or any other element of the code's implementation. Such bugs may impact the security of receipts, leak information, or cause any other manner of problems. Caveat emptor.

Getting Started

To start your own project, you can use our cargo risczero tool to write the initial boilerplate and set up a standard directory structure. First, install Rust if you don't already have it, then install the cargo risczero tool. We'll use cargo binstall to get cargo-risczero installed. See cargo-binstall for more details.

cargo install cargo-binstall
cargo binstall cargo-risczero

Next we'll need to install the risc0 toolchain with:

cargo risczero install

Then, create a new project (named my_project in this example):

cargo risczero new my_project

More details and options for cargo risczero are given in its README.

For more guidance on how to use RISC Zero, how RISC Zero projects are typically structured, and other resources useful to developers new to RISC Zero, see our Getting Started page.

Rust Binaries

crate crates.io
cargo-risczero x
risc0-r0vm x
risc0-tools x

Rust Libraries

crate crates.io docs.rs
bonsai-sdk x
risc0-binfmt x
risc0-build x
risc0-build-kernel x
risc0-circuit-recursion x
risc0-circuit-recursion-sys x
risc0-circuit-rv32im x
risc0-circuit-rv32im-sys x
risc0-core x
risc0-sys x
risc0-zkp x
risc0-zkvm x
risc0-zkvm-platform x

Feature flags

The following feature flags are present in one or more of the crates listed above:

Feature Target(s) Implies Description Crates
client all except rv32im std Enables the client API. risc0-zkvm
cuda prove, std Enables CUDA GPU acceleration for the prover. Requires CUDA toolkit to be installed. risc0-circuit-recursion, risc0-circuit-rv32im, risc0-zkp, risc0-zkvm
disable-dev-mode all except rv32im Disables dev mode so that proving and verifying may not be faked. Used to prevent a misplaced RISC0_DEV_MODE from breaking security in production systems. risc0-zkvm
metal macos prove, std Enables Metal GPU acceleration for the prover. risc0-circuit-recursion, risc0-circuit-rv32im, risc0-zkp, risc0-zkvm
prove all except rv32im std Enables the prover, incompatible within the zkvm guest. risc0-circuit-recursion, risc0-circuit-rv32im, risc0-zkp, risc0-zkvm
std all Support for the Rust stdlib. risc0-circuit-recursion, risc0-circuit-rv32im, risc0-zkp, risc0-zkvm


This project is licensed under the Apache2 license. See LICENSE.


~34K SLoC