An arithmetic circuit is a model for computing polynomials, where nodes (or gates) perform addition (+) and multiplication (*) operations, and edges carry values from a finite field. It is the foundational representation used in zero-knowledge proofs (ZKPs), particularly zk-SNARKs and zk-STARKs, where complex program logic is compiled into a set of polynomial constraints. This compilation process, often called arithmetization, transforms statements like "I know a valid transaction" into a format that can be proven cryptographically without revealing the underlying data.
LABS
Glossary
Arithmetic Circuit
An arithmetic circuit is a computational model representing a program as a graph of addition and multiplication gates over a finite field, forming the basis for constructing zero-knowledge proofs.
Chainscore © 2026
definition
ZK-PROOF FUNDAMENTAL
What is an Arithmetic Circuit?
An arithmetic circuit is a computational model that represents a mathematical function as a directed acyclic graph of arithmetic operations over a finite field.
The structure of a circuit is defined by its wires and gates. Each wire carries a value, and each gate performs an operation on its input wires to produce an output. The entire computation is captured by a set of constraint systems, such as Rank-1 Constraint Systems (R1CS) or Plonkish arithmetization, which encode the gate relationships as polynomial equations. Satisfying these equations with a valid set of wire assignments (a witness) proves the computation was executed correctly.
In blockchain applications, arithmetic circuits are used to create verifiable computation. For example, a zk-rollup uses a circuit to represent the rules for updating a state root (e.g., processing hundreds of transfers). A prover generates a proof by running the computation and creating a witness that satisfies the circuit's constraints. A verifier can then check the proof against the public inputs and the circuit's structure, ensuring the computation is valid without re-executing it, which enables scalability and privacy.
how-it-works
ZK-SNARK FUNDAMENTALS
How an Arithmetic Circuit Works
An arithmetic circuit is the foundational computational model used in zero-knowledge proofs, representing complex statements as a series of simple arithmetic operations on a finite field.
An arithmetic circuit is a directed acyclic graph (DAG) that models a computation using only addition (+) and multiplication (*) gates over elements in a finite field. It is the primary abstraction for encoding the statement to be proven in zero-knowledge proofs (ZKPs), particularly ZK-SNARKs. The circuit's inputs are private and public values, and its structure defines the constraints that must be satisfied for a proof to be valid. This representation transforms any NP statement into a format that can be cryptographically verified with high efficiency.
The construction of a circuit involves converting a program or logical condition into a Rank-1 Constraint System (R1CS) or a similar format. Each multiplication gate creates a constraint that enforces a relationship between the left input wire, right input wire, and output wire. For example, a simple constraint like out = x * y ensures the prover knows values for x and y that multiply to the claimed out. These constraints are compiled into a polynomial identity, which is the core object tested by the zk-SNARK protocol.
In practice, developers use domain-specific languages (DSLs) like Circom or ZoKrates to write high-level logic, which is then compiled down to an arithmetic circuit. This circuit is subsequently used to generate a proving key and a verification key. The prover uses the circuit and the proving key to create a proof that they executed the circuit correctly with valid private inputs, without revealing those inputs. The verifier checks this proof against the public inputs and the verification key.
key-features
CORE MECHANICS
Key Features of Arithmetic Circuits
Arithmetic circuits are the fundamental computational model for zero-knowledge proofs, representing statements as polynomial equations over a finite field.
01
Polynomial Representation
An arithmetic circuit encodes a computational statement as a multivariate polynomial equation over a finite field (e.g., a prime field). The prover's claim (e.g., "I know the private key for this public key") is translated into a claim that this polynomial evaluates to zero. This algebraic structure is what allows for efficient cryptographic proofs.
02
Gates & Wires
The circuit is composed of addition (+) and multiplication (×) gates connected by wires. Wires carry values from the finite field. This limited gate set is sufficient to represent any bounded computation. The topology of the circuit—how gates are connected—is fixed and public, forming the circuit description or constraint system.
03
Rank-1 Constraint System (R1CS)
A standard intermediate representation for arithmetic circuits. R1CS expresses the circuit as a set of constraints of the form:
(A · s) * (B · s) = (C · s)whereA, B, Care vectors of coefficients andsis the witness vector containing all wire values. This format is used by proof systems like Groth16 and Groth-Maller.
04
Witness
The witness is the set of all private values assigned to the circuit's wires that satisfy all constraints. It includes the prover's secret inputs. The prover's goal is to convince a verifier that a valid witness exists without revealing it. The NP-complete problem of finding a satisfying witness underpins the security of ZK-SNARKs.
05
Field Arithmetic
All operations occur within a finite field (typically a large prime field). This is crucial because:
- It prevents overflow/rounding errors, ensuring exact computation.
- It enables the use of elliptic curve cryptography and polynomial commitments.
- Field size (e.g., ~254 bits for BN254 curve) directly impacts security and efficiency.
06
Circuit Complexity
The size (number of gates) and depth (longest path) of a circuit are primary drivers of prover time, proof size, and verifier time. Non-deterministic advice (the witness) allows complex computations to be represented with fewer gates. Optimizing circuit compilation from high-level languages (like Circom or Noir) is a major focus for performance.
visual-explainer
ZK-SNARK FUNDAMENTALS
Visual Explainer: The Circuit Graph
An arithmetic circuit is the foundational computational model for zero-knowledge proofs, translating program logic into a format that can be cryptographically verified.
An arithmetic circuit is a directed acyclic graph (DAG) that represents a computation as a sequence of arithmetic operations over a finite field. Its nodes, or gates, perform addition and multiplication, while its edges carry values, known as signals or wires. This graph-based representation is the standard intermediate form for complex computations in zero-knowledge proof systems like ZK-SNARKs and ZK-STARKs, as it structures the computation into a form that can be efficiently encoded into polynomial constraints. The circuit's size, measured in the number of multiplication gates, is a primary determinant of proof generation time and verification cost.
The process of creating a circuit, known as circuit compilation or arithmetization, transforms a high-level program (e.g., written in a language like Circom or Noir) into this graph. Each logical step—checking a digital signature, validating a Merkle proof, or enforcing a business rule—is broken down into fundamental field operations. The resulting circuit defines a set of polynomial equations or rank-1 constraint system (R1CS) constraints that must be satisfied for the computation to be correct. The witness, the set of private inputs and intermediate values that satisfy these constraints, is a valid assignment to the circuit's wires.
Visualizing the circuit as a graph reveals its structure and dependencies. Inputs flow from source nodes, are processed through gates, and converge at output nodes. This visualization helps developers identify optimization opportunities, such as reducing the number of multiplicative gates to shrink proof size. In practice, for a ZK-SNARK, the prover cryptographically commits to the witness values on the wires, and the verifier checks a short proof against the public circuit description and outputs. The security of the entire proof system rests on the accurate representation of the intended computation within this circuit graph.
technical-details-constraints
ZK-SNARK FUNDAMENTALS
Technical Details: From Gates to Constraints
This section deconstructs the core computational model that transforms a program into a format suitable for zero-knowledge proofs.
An arithmetic circuit is a directed acyclic graph (DAG) that models a computation using only addition and multiplication gates over a finite field. It is the foundational representation for constructing zero-knowledge proofs (ZKPs), particularly zk-SNARKs, where the prover's computational task is expressed as a set of polynomial equations derived from the circuit's structure. Each wire in the circuit carries a value from the field, and each gate enforces a constraint—for example, a multiplication gate with inputs a and b and output c enforces the constraint a * b = c.
The process of arithmetization converts a program or statement into this circuit format. This involves breaking down high-level operations (like hash functions or conditional checks) into a sequence of field additions and multiplications. The resulting circuit is then compiled into a constraint system, such as a Rank-1 Constraint System (R1CS) or a Plonkish constraint system, which formally encodes every gate as one or more equations that must be satisfied for a valid computation. The complexity of the proof is directly tied to the number of gates, or constraints, in this system.
Within a zk-SNARK protocol, the prover uses a witness—the private inputs and intermediate values satisfying all circuit constraints—to generate a proof. The verifier only needs the public inputs and the circuit's structure (often embedded in a verification key) to check the proof's validity. This abstraction is powerful because it allows verification time to be independent of the original computation's runtime, relying only on the fixed size of the circuit. Optimizing these circuits for minimal gate count is a critical area of research, directly impacting proof generation speed and cost.
ecosystem-usage
ARITHMETIC CIRCUIT
Ecosystem Usage: Protocols & Chains
Arithmetic circuits are the fundamental computational model for zero-knowledge proofs, enabling efficient verification of complex statements. Their implementation varies across leading protocols, each optimizing for different trade-offs between prover speed, proof size, and verification cost.
06
Performance Trade-offs
The choice of arithmetic circuit and proving system involves critical trade-offs:
- Prover Time: STARKs/AIR can be faster than some SNARK/R1CS implementations.
- Proof Size: SNARK proofs (e.g., Groth16) are tiny (~200 bytes), while STARK proofs are larger (~45-200 KB).
- Verification Cost: Smaller proofs mean lower on-chain verification gas costs, a key metric for Ethereum L2s.
- Setup: SNARKs often require a trusted setup; STARKs and some Plonk variants are transparent.
examples
ARITHMETIC CIRCUIT
Example Computations as Circuits
An Arithmetic Circuit is a computational model that represents a program as a directed acyclic graph of arithmetic operations over a finite field. This section illustrates how common computations are structured as circuits for zero-knowledge proofs and other cryptographic protocols.
01
Simple Boolean Logic (AND Gate)
A fundamental building block, an AND gate is expressed as a multiplication constraint. For inputs a and b (each 0 or 1), the output c must satisfy:
- Constraint:
a * b = c - Witness Values: If
a=1andb=1, thenc=1. If either input is 0,c=0. This simple gate forms the basis for more complex logical operations within a circuit.
02
Polynomial Evaluation
Evaluating a polynomial, such as P(x) = 3x² + 2x + 1, is broken down into sequential operations:
- Step 1 (Square): Compute
x2 = x * x. - Step 2 (Multiply): Compute
term1 = 3 * x2andterm2 = 2 * x. - Step 3 (Add): Compute
sum = term1 + term2. - Step 4 (Final Add): Compute
result = sum + 1. Each step becomes a gate in the circuit, with wires carrying intermediate values.
03
Hash Function (Simplified SHA-256 Round)
A single round of a cryptographic hash like SHA-256 involves bitwise operations, modular addition, and logical functions, all expressed as field arithmetic.
- Bitwise XOR:
a ⊕ bis implemented asa + b - 2*a*bover binary-constrained inputs. - Majority Function:
maj(a,b,c) = (a∧b) ⊕ (a∧c) ⊕ (b∧c)becomes a series of multiplication and addition gates. - Modular Addition: 32-bit addition modulo 2³² is enforced using overflow constraints. A full hash requires thousands of such gates.
04
Range Proof (Value is Less Than 8)
Proving a secret value v is less than 8 (3 bits) without revealing it uses a bit decomposition circuit.
- Constraints: Prove
vequals the sum of its bits:v = b0 + 2*b1 + 4*b2. - Boolean Checks: Enforce each
b0, b1, b2is either 0 or 1 usingbi * (1 - bi) = 0. - Result: The circuit validates the bit representation, proving
0 ≤ v < 8. This pattern scales for any upper bound.
05
Digital Signature Verification
Verifying an ECDSA signature (e.g., secp256k1) inside a circuit involves elliptic curve operations.
- Point Addition: Adding two curve points requires slope calculation and field operations.
- Scalar Multiplication: Computing
s * Gis broken into a double-and-add algorithm, creating a gate for each bit of the scalar. - Final Check: The circuit validates if the derived public key matches the expected one, all without revealing the signature's raw components.
06
Sudoku Solution Verifier
A classic example of an NP-complete problem expressed as constraints.
- Cell Constraints: Each of the 81 cells contains a value between 1-9 (range proofs).
- Row/Column Constraints: For each row and column, prove all values are distinct (e.g., using a sum/product check).
- Sub-grid Constraints: Prove uniqueness within each 3x3 block. The circuit doesn't solve the puzzle; it verifies a proposed solution satisfies all rules.
ZK-SNARK IMPLEMENTATIONS
Comparison: Circuit Types & Proof Systems
A comparison of major zero-knowledge proof systems based on their underlying circuit representation and cryptographic assumptions.
| Feature / Metric | Groth16 (R1CS) | PLONK (Plonkish) | STARK (AIR) | Halo2 (Plonkish) |
|---|---|---|---|---|
Primary Circuit Type | Rank-1 Constraint System (R1CS) | Plonkish Arithmetization | Algebraic Intermediate Representation (AIR) | Plonkish Arithmetization |
Trusted Setup Required | ||||
Proof Size | ~200 bytes | ~400 bytes | ~45-200 KB | ~1-2 KB |
Verification Time | < 10 ms | ~10-50 ms | ~10-100 ms | ~10-50 ms |
Recursive Proofs | ||||
Post-Quantum Safe | ||||
Key Cryptographic Assumption | Knowledge of Exponent | Polynomial Commitments | Collision-Resistant Hashes | Polynomial Commitments |
ARITHMETIC CIRCUITS
Common Misconceptions
Arithmetic circuits are fundamental to zero-knowledge proofs, but their role and limitations are often misunderstood. This section clarifies key points about their function, constraints, and relationship to other cryptographic components.
No, an arithmetic circuit is a mathematical model for computation, while a smart contract is executable code on a blockchain. An arithmetic circuit is a directed acyclic graph (DAG) where nodes perform addition or multiplication over a finite field, representing a constraint system. Smart contracts, like those on Ethereum, are written in high-level languages (e.g., Solidity) and compiled to bytecode for a virtual machine. To generate a zero-knowledge proof about a smart contract's execution, the logic must first be compiled or "circuitized" into this low-level arithmetic representation, which is a complex and manual process. The circuit defines the rules; the proof attests that those rules were followed.
ARITHMETIC CIRCUIT
Frequently Asked Questions (FAQ)
Essential questions and answers about arithmetic circuits, the foundational mathematical structure used in zero-knowledge proofs and other cryptographic protocols.
An arithmetic circuit is a computational model that represents a mathematical function as a directed acyclic graph of arithmetic operations (addition and multiplication) over elements in a finite field. It is the primary representation used by zero-knowledge proof (ZKP) systems like zk-SNARKs and zk-STARKs to encode the statement to be proven. The circuit's gates perform operations, and its wires carry values, defining the precise computational constraints that a prover must satisfy to generate a valid proof. This model is crucial because it translates complex program logic into a form that can be efficiently verified cryptographically.
further-reading
ARITHMETIC CIRCUIT
Further Reading
Explore the foundational concepts and practical applications of arithmetic circuits in zero-knowledge cryptography and blockchain scaling.
02
R1CS & QAP
To make circuits proof-friendly, they are often compiled into intermediate representations.
- Rank-1 Constraint System (R1CS): A format where the circuit is expressed as a set of equations of the form
(A · s) * (B · s) = (C · s), wheresis the witness vector. - Quadratic Arithmetic Program (QAP): An R1CS is transformed into a QAP, reducing the verification to checking polynomial identities, which is efficient for SNARKs.
04
Circuit Complexity
The performance of a ZK system is directly tied to circuit size, measured in constraints or gates.
- Prover Time: Typically scales linearly or quasi-linearly with the number of constraints.
- Proof Size & Verification Time: Often constant or logarithmic, but depend on the proof system.
- Optimization Goal: Minimizing constraints is critical for practical applications like rollups.
06
Applications: ZK-Rollups
Arithmetic circuits enable ZK-Rollups, a leading Layer 2 scaling solution.
- The circuit encodes the logic of validating a batch of transactions.
- The proof attests to the correct state transition, which is posted on-chain.
- This allows for high throughput and low fees while inheriting Ethereum's security. Systems like zkSync and StarkNet are built on this principle.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall