SNARKProbe: An Automated Security Analysis Framework for zkSNARK Implementations

Abstract

With the growing interest in privacy-enhancing technologies, we are seeing a complementary growth in the desire to build and deploy complex cryptographic systems that involve techniques like zero-knowledge proofs. Of these, general purpose proof systems like zkSNARKs have seen the most interest, due to their small proof size, fast verification, and expressiveness. Unfortunately, as we have seen with many areas of cryptography, guaranteeing correct implementations can be tricky, as the protocols themselves are complicated and often require substantial low-level manual effort to achieve maximum performance. To help with this problem, and gain better assurances about the correctness and security of already implemented zkSNARK protocols and the privacy-enhancing applications that use them, we design and build SNARKProbe, an automated security analysis framework for zkSNARKs that can scan R1CS-based libraries and applications to detect various issues, such as edge case crashing, cryptographic operation errors, and/or inconsistencies with protocol descriptions. SNARKProbe leverages a variety of analysis techniques, including fuzzing and SMT solvers. We test the performance of SNARKProbe on a variety of different experimental parameters to demonstrate its practicality and reasonable runtime, and we also evaluate its ability to find potential inconsistencies and errors in implementations.

Appendices

A Additional Information for Constraint Checker

1.1 A.1 An optimization for the SMT solver

The SMT solver may take a while to solve some complicated equations. To reduce the processing time in the equality check, we introduce optimizations and simplify some equations in the R1CS matrix. For example, many libsnark gadgets use bit shifting, which produces the equation \((x * (1 + (p - 1) * x)) \bmod p = 0\) in R1CS gates. This equation represents \(x = 0\) or \(x = 1\). For our optimization, if the Constraint Checker detects such a relation, it will be replaced with \(0 \le x \wedge x \le 1\) where \(x \in \mathbb {F}\). These are logically equivalent, but our replacement is much easier for the SMT solver to work with. A real world gadget like the comparison_gadget in libsnark has 16 constraints, and there are 11 constraints representing \(x = 0\) or \(x = 1\) (see Appendix C).

1.2 A.2 Protocol of the Constraint Checker by the SMT Solver

1.3 A.3 Example Constraint Checker

For the interested reader, we provide an example of our Constraint Checker to show how a developer can run the tool. More examples can be found in our code.

1.4 A.4 Domain Gap Issues

The same upper bound and lower bound does not guarantee that statement equations and R1CS gates have the same range. Figure 4c and 4d shows an example of an unmatched domain with the same upper bound and lower bound.

Domain Gap in Statement Equations  

The ground truth domain of statement equations is known and provided by the user (which means we know the domain gap in the statement equations), the Constraint Checker can use the SMT solver to find if the R1CS gates have solution(s) outside the domain of statement equations (e.g. in the gap). If the SMT solver returns SAT, then the domains’ of the statement equations and R1CS gates do not match and thus they are not equivalent. This example corresponds to Fig. 4d.

Domain Gap in R1CS Gates  

Since the domain of the R1CS gates is unknown, the Constraint Checker cannot use the SMT solver to detect an unmatched domain as in the previous example. However, in this instance, the prover likely will not be able to generate a proof for a secret value in the gap because these secret values are not in the domain of R1CS Gates even though they are valid solutions to the original statement equations. That is, the set of allowable input values for the implemented R1CS matrix is a subset of the set of input values for the desired proof statement. Therefore, while this leads to undesirable behavior as the prover cannot generate proofs for the entire valid input range, it does not lead to any exploits or “fake” proofs (i.e., the ability to generate a valid proof without knowledge of the secret value). This example corresponds to Fig. 4c.

We believe this type of gap is very rare, but we still try to find this issue by producing a set of uniform random numbers as input for statement equations and R1CS gates. If the R1CS gates do not have a solution but the statement equations do have a valid solution for an input number, then there is a gap in the statement equations, which is not equivalent to the statement equations’ domain. This test does not guarantee finding an existing domain gap, but a larger set of numbers has higher confidence in finding any existing gaps.

Fig. 4.

Examples of Domain Comparison

B Additional Information for SnarkFuzzer

1.1 B.1 Example Ideal Model Files

See Figs. 5 and 6.

Fig. 5.

Example file for the ideal branch file

Fig. 6.

Example file for the ideal value file

1.2 B.2 PrettyPrint Example

Fig. 7.

Content of variable type G1

C Equations comparison_gadget Represents

$$ {\left\{ \begin{array}{ll} (w_{14} * (1 + (p - 1) * w_{14})) \bmod p = 0 \\ (1024 + w_{3} + 2 * w_{4} + 4 * w_{5} + 8 * w_{6} + 16 * w_{7} + 32 * \\ \quad \quad w_{8} + 64 * w_{9} + 128 * w_{10} + 256 * w_{11} + 512 * w_{12}) \\ \quad \quad \bmod p = w_{13} \\ (w_{3} * (1 + (p - 1) * w_{3})) \bmod p = 0 \\ (w_{4} * (1 + (p - 1) * w_{4})) \bmod p = 0 \\ (w_{5} * (1 + (p - 1) * w_{5})) \bmod p = 0 \\ (w_{6} * (1 + (p - 1) * w_{6})) \bmod p = 0 \\ (w_{7} * (1 + (p - 1) * w_{7})) \bmod p = 0 \\ (w_{8} * (1 + (p - 1) * w_{8})) \bmod p = 0 \\ (w_{9} * (1 + (p - 1) * w_{9})) \bmod p = 0 \\ (w_{10} * (1 + (p - 1) * w_{10})) \bmod p = 0 \\ (w_{11} * (1 + (p - 1) * w_{11})) \bmod p = 0 \\ (w_{12} * (1 + (p - 1) * w_{12})) \bmod p = 0 \\ (1024 - 1 * w_{1} + w_{2}) \bmod p = w_{13} \\ (w_{15} * (w_{3} + w_{4} + w_{5} + w_{6} + w_{7} + w_{8} + w_{9} + w_{10} + \\ \quad \quad w_{11} + w_{12})) \bmod p = w_{14} \\ ((1 + (p - 1) * w_{14}) * (w_{3} + w_{4} + w_{5} + w_{6} + w_{7} + w_{8} \\ \quad \quad + w_{9} + w_{10} + w_{11} + w_{12})) \bmod p = 0 \\ w_{14} \bmod p = 1 \end{array}\right. } $$