ZKP学习笔记

ZK-Learning MOOC课程笔记

Lecture 15: Secure ZK Circuits via Formal Methods (Guest Lecturer: Yu Feng (UCSB & Veridise))

15.2 Formal Methods in ZK (Part I)

• Circuits Workflow
  

  • Source Code: Witness Generation and Constraints
  • Witness Generation and Constraints should (generally) be equivalent!

• What is Equivalence
  

  • Every input-output of P must satisfy C
  • Every (x,y) which satisfies C must be an input-out pair of P

• Equivalence Violations
  

  • Underconstrained Bugs: Verifier can accept bad inputs/ outputs

• A Taxonomy of ZK Bugs
  

• Unconstrained Signals

  • Corresponds to signals whose constraints always evaluate to true, accepting everything

  • Example: Underconstrained Output
    

    • Error: for (var i = 0; i< n, i++)
    • No constrains over the last element of output
    • Attacker can pass in any value for out 2

• Unsafe Component Usage

  • Sub-circuits often assume constraints are placed on inputs and outputs

  • Corresponds to cases where the use of a sub-circuit does not follow

  • Example: Under-Constrained Sub-Circuit Output
    

    • Missing constraint lt.out === 0
    • Without the missing constraint, attackers can withdraw more funds than they have

• Constraint/Computation Discrepancy

  • Not all computation can be directly expressed as a constraint

  • Corresponds to constraints that do not capture a computation’s semantics

  • Example: No Zero Inverse
    

    • Accepts arbitrary out when a and b are 0!

• Circuit Dependence Graphs (CDG)

  • Goal: Identify discrepancies between computation and constraints

  • Data dependence <–

  • Constrain ===
    

  • CDG Example
    

• Vanguard Framework