Circom

Circom (Circuit Compiler) is a domain-specific language and compiler framework used to define arithmetic circuits for generating zero-knowledge proofs (ZKPs), specifically zk-SNARKs. It allows developers to write high-level logic that describes computational statements, which the compiler then transforms into a system of quadratic constraints (R1CS) suitable for proof generation and verification. This process is essential for creating efficient and verifiable computations in privacy-preserving applications like ZK-rollups and private transactions.

The core workflow involves two main components: the Circom language for writing circuit logic and the circom compiler that processes it. Developers define template functions that represent reusable circuit components, specifying the relationships between input and output signals using arithmetic operations. The compiler outputs the circuit in a format that can be used by a trusted setup ceremony to generate proving and verification keys, which are then utilized by proof systems like SnarkJS to create and validate proofs.

A key feature of Circom is its focus on constraint-based programming. Instead of executing computations directly, a Circom program declares the mathematical relationships that must hold true between variables. For example, a circuit proving knowledge of factors of a number would not compute the factors but would enforce that the multiplication of two private signals equals a public output. This paradigm shift is fundamental to zero-knowledge cryptography, where the goal is to prove correctness without revealing the underlying data.

Circom is predominantly used within the Ethereum ecosystem, particularly for scaling solutions like zkSync, Polygon zkEVM, and Scroll. Its circuits enable these Layer 2 networks to batch thousands of transactions into a single succinct proof, dramatically reducing on-chain verification cost and data. Beyond scaling, it's used for privacy applications such as Tornado Cash (for anonymous transactions) and credential verification systems where users can prove attributes without disclosing them.

While powerful, working with Circom requires careful attention to security and correctness. Circuit bugs can lead to critical vulnerabilities, as the logic defines the absolute rules of the proof system. Furthermore, developers must manage the trusted setup phase, where toxic waste must be securely discarded, and be mindful of performance considerations, as circuit size directly impacts proof generation time and cost. Tools like circomspect and Picus Security have emerged to help audit and analyze circuits for potential issues.

The term Circom is a contraction of Circuit Compiler. This name directly describes its primary function: it is a domain-specific language and compiler for defining arithmetic circuits, which are the fundamental computational models used in constructing zero-knowledge proofs (ZKPs). The 'circuit' component refers to the logical gates and constraints that represent a computation, while 'compiler' indicates the tool's role in transforming high-level code into the low-level constraints required by proof systems like Groth16 and PLONK.

The etymology reflects the project's origins and philosophy. Developed by iden3, the creators of the zk-rollup solution Polygon zkEVM, Circom was designed to provide a more accessible and secure way for developers to write ZKP circuits compared to manually crafting R1CS (Rank-1 Constraint Systems). The name emphasizes a shift from manual, error-prone assembly to a structured, compiled approach, much like how high-level programming languages abstracted machine code.

Understanding this etymology is key for developers. It signals that working with Circom involves thinking in terms of constraint-based programming. Instead of writing execution logic, developers define the relationships between variables that must always hold true. This circuit model, central to SNARKs (Succinct Non-Interactive Arguments of Knowledge), is what allows a prover to convince a verifier of a statement's truth without revealing the underlying data. The name Circom, therefore, serves as a constant reminder of the foundational abstraction layer in modern zk-proof development.

Circom (short for Circuit Compiler) is a domain-specific programming language designed for constructing arithmetic circuits, which are the computational models used to generate zero-knowledge proofs (ZKPs), particularly ZK-SNARKs. Developers write circuit logic in Circom, which is then compiled into a set of constraints that define the valid execution paths of a computation without revealing the underlying inputs. This process transforms a program into a format that a proving system, like Groth16 or PLONK, can use to generate and verify succinct proofs.

The core abstraction in Circom is the template, a reusable circuit component that defines a set of constraints among its input and output signals (private and public variables). A developer's primary task is to design these templates to encode the correct execution of a specific computation, such as verifying a digital signature or proving knowledge of a hash pre-image. The language provides operators for arithmetic operations over a finite field, control flow constructs, and component instantiation, allowing for the composition of complex circuits from simpler, auditable building blocks.

Once a circuit is written, the Circom compiler performs several critical steps: it flattens the hierarchical circuit into a single list of constraints represented as Rank-1 Constraint System (R1CS), and it generates the corresponding WebAssembly code and a proving key and verification key. These artifacts are then used by separate proving systems. For example, the popular snarkjs library often takes the Circom compiler's R1CS output to set up a trusted ceremony and generate proofs, enabling applications in private transactions, identity verification, and scalable blockchain rollups.

The following Circom code defines a simple circuit that proves knowledge of a preimage for a hash without revealing it. This is a fundamental building block for privacy-preserving applications. The circuit, named HashPreimage, takes a private input signal in and a public input signal hash. It uses the built-in Poseidon template to compute a hash of the private input and then uses the === operator to enforce that the computed hash equals the provided public hash. If this constraint is satisfied, the proof is valid.

Key components of this example include: the template declaration defining the circuit's structure, signal declarations specifying private (in) and public (hash) inputs, and the instantiation of the Poseidon hash function. The component keyword is used to create an instance of the hash function, and the == operator creates an assertion or constraint. This constraint is what the prover must satisfy, linking their secret knowledge (in) to the public statement (hash).

To use this circuit, a prover would compile it with the Circom compiler to generate R1CS (Rank-1 Constraint System) and Witness files. These artifacts are then used by proving systems like Groth16 or PLONK to generate and verify a zero-knowledge proof. This example, while minimal, illustrates the core paradigm of zk-SNARK development: defining computational constraints over private data that can be verified efficiently by anyone with the public parameters and the proof.