

# Keridise.

Static Analysis for ZK Circuits

> Kostas Ferles CRO, Veridise

### Veridise. | Recap

- You should have access to SaaS by now.
  - Let us know if there are any issues with this.
- Hope you had some fun staring at CDGs.
  - After this lecture, you will get access to more detectors.
  - No more staring at CDGs, let zkVanguard do the job for you.
  - Quiz 3 will be released after this lecture.





Circom source code

Analysis representation Output report













#### **Static Analysis** Abstraction



Bug Pattern 1 (Prog is Safe)

#### Static Analysis Abstraction



Bug Pattern 1 (Prog is Safe)

> Bug Pattern 2 (Bug)

#### Static Analysis Abstraction



Bug Pattern 1 (Prog is Safe)

> Bug Pattern 2 (Bug)

#### Static Analysis Abstraction

All Program States

> Bug Pattern 3 (False alarm)



### Veridise. Let's Start With a Demo

#### **Doc example for under-constrained outputs**

#### uco\_example.circom

```
pragma circom 2.0.0;
 2
   template LowestBitIsOne() {
     signal input inp;
     signal output outp;
 5
 6
     outp <-- inp & 1;
7
     outp * (outp - 1) === 0;
 8
 9
10
   component main = LowestBitIsOne();
11
```

#### **Docs for all available** to you!





## Veridise. Quick Dive Into zk-Vanguard

- Most of zkVanguard detectors are simply looking for a path (or its absence) on a CDG.
  - For instance NDW, will look if a signal affects a branch.
- The logic of some detectors can be a bit more complex.
  - Let's take a closer look to the uc-output detector.



### Veridise. | The trivial case first

uco\_example.circom

```
1 pragma circom 2.0.0;
2
3 template LowestBitIsOne() {
4 signal input inp;
5 signal output outp;
6
7 outp <-- inp & 1;
8 outp * (outp - 1) === 0;
9 }
10
11 component main = LowestBitIsOne();
```



- No constraint edge between inp and outp
- zkVanguard will report this as a bug



### Veridise. | Let's Complicate Things

|   | 1                                                        | pr | a      | gı             | n      | a |
|---|----------------------------------------------------------|----|--------|----------------|--------|---|
|   | 2<br>3                                                   | +  |        | ~ '            | 1      | ~ |
|   | 3<br>4                                                   | te | S.     |                |        |   |
|   | 5                                                        |    | S      | i              | y<br>a | n |
|   | 6                                                        |    | S      | i              | g      | n |
|   | 7                                                        |    |        |                |        |   |
|   | 8                                                        |    | 0      |                |        |   |
|   | 9                                                        |    | 0      |                |        |   |
|   | 10                                                       | ,  | 0      | u <sup>.</sup> | t      | 2 |
|   | 10<br>11<br>12<br>13<br>14<br>15<br>16                   | }  |        |                |        |   |
|   | בו<br>וכ                                                 | te | m      | 'n             | 1      | 2 |
|   | 14                                                       | Le | S.     |                |        |   |
|   | 15                                                       |    | s      | i              | g      | n |
|   | 16                                                       |    | S<br>S | i              | g      | n |
|   | 17                                                       |    |        |                |        |   |
| 1 | 18                                                       |    | C      | 01             | n      | p |
| 1 | 19                                                       |    |        |                |        |   |
|   | 20                                                       |    | b      | •              | i      | n |
| í | 21                                                       |    | ے      |                |        | - |
| 4 | 22                                                       |    | f<br>f |                |        |   |
|   | 23                                                       | }  |        |                | u      | Ľ |
|   | 25                                                       | ,  |        |                |        |   |
|   | 17<br>18<br>19<br>20<br>21<br>22<br>23<br>24<br>25<br>26 | сс | om     | p              | 0      | n |
|   |                                                          |    |        |                |        |   |

```
circom 2.0.0;
```

```
ate Bar() {
al input in;
al output out1;
al output out2;
```

```
<== in + 5;
<-- in & 1;
* (out2 - 1) === 0;
```

```
ate Foo() {
al input inp;
al output fout1;
al output fout2;
onent b = Bar();
al <== inp;
al <== b.out1;</pre>
```

```
2 <== b.out2;
```

```
nent main = Foo();
```



## Veridise. | Let's Complicate Things

### out1 is fine! out2 not so much

| 1<br>2 | pr | a | g | m | a |
|--------|----|---|---|---|---|
| 3      | te | m | р | ι | а |
| 4      |    |   |   |   | n |
| 5      |    |   |   |   | n |
| б      |    |   |   |   | n |
| 7      |    |   |   | Ĩ |   |
| 8      |    | 0 | u | t | 1 |
| 9      |    |   |   |   | 2 |
| 0      |    | 0 | u | t | 2 |
| 1      | }  |   |   |   |   |
| 2      |    |   |   |   |   |
| 3      | te | m | p | ι | а |
| 4      |    |   |   |   | n |
| 5      |    | s | i | g | n |
| 6      |    | s | i | g | n |
| 7      |    |   |   | Ū |   |
| 8      |    | с | 0 | m | р |
| 9      |    |   |   |   | 1 |
| 0      |    | b |   | i | n |
| 1      |    |   |   |   |   |
| 2      |    | f | 0 | u | t |
| 3      |    | f | 0 | u | t |
| 4      | }  |   |   |   |   |
| 5      |    |   |   |   |   |
| 6      | со | m | р | 0 | n |

```
circom 2.0.0;
```

```
te Bar() {
al input in;
al output out1;
al output out2;
```

```
<== in + 5;
<-- in & 1;
* (out2 - 1) === 0;
```

```
ite Foo() {
    al input inp;
    al output fout1;
    al output fout2;
onent b = Bar();
    <== inp;
    1 <== b.out1;</pre>
```

```
2 <== b.out2;
```

```
ent main = Foo();
```



## Veridise. | Let's Complicate Things



```
1 pragma circom 2.0.0;
```

```
3 template Bar() {
4 signal input in;
5 signal output out1;
6 signal output out2;
```

```
out1 <== in + 5;
out2 <-- in & 1;
out2 * (out2 - 1) === 0;
```

```
template Foo() {
   signal input inp;
   signal output fout1;
   signal output fout2;
   component b = Bar();
   b.in <== inp;
   fout1 <== b.out1;</pre>
```

```
fout2 <== b.out2;</pre>
```

```
26 component main = Foo();
```



### Veridise. What should we do?

- Naive solution:
- Can we do something smarter? •
  - Well, glad you asked :)



### • Every time you analyze a template, also analyze all its sub-components.

• **Problem:** This doesn't scale for real-world circuits. (Redundant computation)



### Veridise. | The Smart(er) Solution

- Before you analyze a template **T**:
  - Make sure you have analyzed all of its sub-components.
  - Every time you analyze a template, create a summary for its outputs.



Summary for Bar:

- out1 -> {in}, out2 -> {}
- I.e., out1 is fine, out2 is not!



### Veridise. | The Smart(er) Solution

- Now when you analyze **T**:
  - No need to re-analyze its sub-components.
  - Just use their summary to propagate information for signals of T



- Summary for Bar: out1 -> {in}, out2 -> {}
- Translate those signals in terms of Foo:
  - out1 is b.out1, out2 is b.out2, and in is b.in
- Therefor we can infer the following for Foo:
  - fout1 -> {inp}, fout2 -> {}
  - Note constraints involving inp, fout1, fout2 with signals from Bar



### Veridise. | Let's see if zk-Vanguard agrees

----Preprocessing sources----Running circom... Done running circom ----Running Vanguard with dump-cdg,uc-outputs detector----Running detector: dump-cdg

Vanguard's CDG Generator did not find any issues.

Running detector: uc-outputs

Vanguard's unconstrained output signal detector found the following issues:

[CRITICAL] In template Bar in foo.circom:3, Vanguard found an output signal that is unconstrained: \* Signal out2

[CRITICAL] In template Foo in foo.circom:13, Vanguard found an output signal that is unconstrained: \* Signal out2

\_\_\_\_\_

.....

\_\_\_\_\_

\_\_\_\_\_



### Veridise. That's all!

- Let us know if you have any question!
- For the RACE winners:
  - Vanguard
  - And it's time to also write some circom on your own ;)

#### Hope you have fun navigating some more complex code-bases with zk-

