Circom language tutorial with circomlib walkthrough This tutorial introduces the Circom language and how to use it, along with common pitfalls. We will also explain a significant portion of the...

AliasCheck and Num2Bits_strict in Circomlib An alias bug in Circom (or any ZK circuit language) occurs when a binary array of signals encodes a number larger than the field element can hold. We will...

Hello World Circom Introduction This chapter shows the relationship between Circom code and the Rank 1 Constraint System (R1CS) it compiles to. Understanding R1CSs is critical to understanding...

ZK Proof of Selection Sort Most computations of interest are generally “stateful” — that is, they need to go through a series of steps to produce the final result. Sometimes, we do not need to show...

MD5 Hash In Circom In this tutorial, we will implement the MD5 hash in Circom both to compute the hash and to constrain in Circom that it was computed correctly. Although the MD5 hash function is not...

Compute Then Constrain "Compute then constrain" is a design pattern in ZK circuits where an algorithm's correct output is first computed without constraints. The correctness of the solution is then...

How a ZKVM Works A Zero-Knowledge Virtual Machine (ZKVM) is a virtual machine that can create a ZK-proof that verifies it executed a set of machine instructions correctly. This allows us to take a...

32-Bit Emulation in ZK The default datatype in ZK is the field element, where all arithmetic is done modulo a large prime number. However, most “real” computation is done using 32, 64, or 256-bit...

Indicate Then Constrain If we want to say that “ can be equal to 5 or 6” we can simply use the following constraint: However, suppose we want to say that “ is less than 5 or is greater than 17.” In...

Intermediate Signals and Sub-Component Circom’s primary purpose is to compile down to a Rank 1 Constraint System (R1CS), but its secondary purpose is to populate the witness. For most circuits, the...