Circuit

A circuit is formally defined as a set of constraints that describe a computation. The most common representation is a Rank-1 Constraint System (R1CS), which breaks down logic into arithmetic gates. For example, a simple 'AND' gate would be represented as a constraint ensuring the output equals the product of two inputs. This mathematical formalization is what a zk-SNARK or zk-STARK prover uses to generate a proof.

In zkRollups like zkSync and StarkNet, circuits are the core engine. They encode the rules for valid state transitions (e.g., token transfers, swaps). The sequencer executes transactions and generates a ZK proof of correctness using these pre-defined circuits. This proof, verified on-chain (e.g., Ethereum), allows the rollup to inherit security without re-executing all transactions. Key metrics include:

• Proof generation time: The computational bottleneck.
• Constraint count: Determines proof size and cost.

For zk-SNARKs, a one-time trusted setup ceremony (like Perpetual Powers of Tau) is required for each unique circuit. This generates public parameters (proving and verification keys). A critical limitation is circuit inflexibility: the logic is fixed. To upgrade a smart contract's logic in a zkRollup, a new circuit must be created and a new trusted setup may be required, making agile development challenging.

Building a zkEVM involves creating circuits that mimic the behavior of the Ethereum Virtual Machine. This is exceptionally complex due to EVM's vast opcode set and state model. Projects take different approaches:

• zkSync Era: Uses a custom VM (LLVM-based) compiled to circuits.
• Scroll: Creates circuits that directly correspond to EVM opcodes.
• Polygon zkEVM: Uses a bytecode-level zkEVM. The goal is to make the circuit's constraints equivalent to EVM execution traces.

A recursive proof (or proof aggregation) is a technique where one ZK proof verifies other proofs. This requires a special verification circuit embedded within a main circuit. It's essential for scaling zkRollups, as it allows multiple block proofs to be aggregated into a single proof for efficient L1 settlement. This creates a hierarchy of proofs, dramatically reducing on-chain verification cost and data.

The choice of proving system (e.g., Groth16, PLONK, STARK) dictates performance and trust assumptions. Groth16 offers small proofs and fast verification but requires a trusted setup per circuit. PLONK-family systems (Plonk, Halo2) use universal trusted setups. STARKs are transparent (no trusted setup) but generate larger proofs. The decision impacts proof generation speed, proof size, and verification cost on-chain.

Developers write circuits using a domain-specific language (DSL) like Circom, Noir, or Cairo, which compiles to a constraint system (R1CS or Plonkish). Key considerations include:

• Language expressiveness and safety (e.g., overflow checks).
• Toolchain maturity for debugging and testing.
• Performance of the final constraint count, which directly affects prover time and cost.

Many proving systems require a trusted setup ceremony to generate public parameters (the Common Reference String). This is a critical security and operational consideration. Systems like Groth16 need a circuit-specific setup, while PLONK uses a universal setup. The ceremony must be performed correctly and securely, often using multi-party computation (MPC), to ensure the soundness of all subsequent proofs.

Prover time and memory (RAM) are primary bottlenecks. Complex circuits can take minutes or hours to generate a proof, requiring significant computational resources. Optimization focuses on:

• Minimizing the number of constraints or polynomial degree.
• Efficient use of lookup tables and custom gates.
• Parallelization of proof generation steps. High prover cost affects application scalability and user experience.

The circuit must be optimized for the target blockchain's verification cost. This involves:

• Minimizing proof size (in bytes) to reduce calldata costs on Ethereum L1.
• Ensuring the verification logic is compatible with precompiles (e.g., BN254, BLS12-381 pairing) available on the chain.
• Considering recursive proof aggregation (proofs of proofs) to batch verifications and reduce overall L1 costs.

Circuits are vulnerable to unique cryptographic and logical bugs. Rigorous practices are required:

• Formal verification of the circuit logic.
• Side-channel analysis to prevent prover cheating (e.g., using unsatisfiable constraints).
• Audits by specialists in ZK cryptography, not just smart contract auditors.
• Comprehensive test coverage with both valid and invalid witness inputs to ensure soundness and completeness.

The foundational mathematical model for a circuit. It represents a computation as a directed acyclic graph where nodes (gates) perform arithmetic operations (addition, multiplication) on wires carrying finite field elements. This is the standard representation for Zero-Knowledge Succinct Non-Interactive Argument of Knowledge (zk-SNARK) systems.

• Purpose: Encodes the statement to be proven.
• Example: A circuit proving you know the preimage of a hash would encode the hash function's steps.

A format for flattening an arithmetic circuit into a set of quadratic equations that a prover must satisfy. It's a common intermediate representation used by proof systems like Groth16.

• Structure: Defined by three matrices (A, B, C) representing the constraints.
• Function: Converts circuit logic into the mathematical form (A · s) * (B · s) = (C · s) for a solution vector s.
• Role: A critical step in generating the proving key and verifying key.

A more flexible alternative to R1CS for representing circuit constraints, used by proof systems like PLONK and Halo2. It organizes the circuit into a table and uses custom gates and lookup arguments.

• Advantage: Enables universal trusted setups and more efficient proof generation for certain operations.
• Core Concept: Constraints are expressed as polynomial identities over defined rows and columns of the execution trace.

A processor that executes programs and generates a zero-knowledge proof of correct execution. The program's logic is compiled into a circuit that the zkVM evaluates.

• Purpose: Allows developers to write proofs in high-level languages (e.g., Rust, C).
• Examples: zkEVM (for Ethereum compatibility), RISC Zero, SP1.
• Output: A proof that a program ran correctly given specific inputs, without revealing private data.

The general set of equations that define the valid relationships between variables in a circuit. The prover's job is to find a satisfying assignment to these constraints.

• Types: Includes R1CS, Plonkish, and AIR (Algebraic Intermediate Representation).
• Analogy: The 'rulebook' for the computational game. A valid proof is a solution that follows all the rules.
• Complexity: The number and type of constraints directly impact proving time and cost.

The basic operational units within a circuit. Each gate performs a primitive computation (e.g., AND, XOR, addition over a finite field) on one or more input wires to produce an output.

• Function: Enforce a single logical or arithmetic constraint.
• Custom Gates: In advanced arithmetization (e.g., Plonkish), gates can be designed to efficiently compute complex operations like elliptic curve addition in a single step.
• Circuit Size: Often measured in the number of gates, which correlates with proving cost.