A comprehensive, educational implementation of the Groth16 zero-knowledge proof system built from scratch to demonstrate core cryptographic concepts.
This project provides a fully working implementation of Groth16 that prioritizes understanding over production use. Every component is built from mathematical primitives with extensive documentation explaining the cryptographic concepts and security properties.
This implementation was created after completing Modules 1 and 2 of the RareSkills ZK Book, which provided the theoretical foundation for understanding:
- Module 1: Mathematical foundations (finite fields, elliptic curves, pairings)
- Module 2: Constraint systems, R1CS, and the Groth16 construction
Through building this implementation, I gained deep understanding of:
-
Constraint Systems (R1CS)
- How to express computations as mathematical constraints
- The relationship between circuits and polynomial equations
- Why R1CS format enables efficient zero-knowledge proofs
-
Trusted Setup Ceremony
- How "toxic waste" creates structured randomness
- Why the setup must be trusted and secure
- How proving and verifying keys are constructed
-
Zero-Knowledge Proof Generation
- How randomness provides zero-knowledge properties
- The role of witness satisfaction checking
- How proof components encode secret information
-
Verification Process
- How bilinear pairings enable verification
- Why the pairing equation works mathematically
- How public inputs are bound to proofs securely
Mathematical Primitives
├── SimpleField - Finite field arithmetic
├── SimpleCurve - Elliptic curve operations
└── Pairing - Bilinear pairing functions
Groth16 System
├── ConstraintSystem - R1CS constraint representation
├── TrustedSetup - Proving/verifying key generation
├── Prover - Zero-knowledge proof generation
└── Verifier - Proof verification with security checks
The verification process demonstrates the core Groth16 security properties:
1. Input Commitment (IC) Computation
└── Encodes public inputs into verification equation
2. Pairing Equation Check
└── e(A,B) = e(α,β) * e(IC,γ) * e(C,δ)
3. Enhanced Security Layers
├── Proof well-formedness check
├── Public input binding verification
└── IC structure consistency check
- Comprehensive Comments: Every function explains the cryptographic purpose
- Security Demonstrations: Tests show how wrong inputs are rejected
- Mathematical Intuition: Comments explain why each step works
- Progressive Complexity: Builds from simple primitives to full system
- Completeness: Valid proofs always verify
- Soundness: Invalid proofs are rejected
- Zero-Knowledge: No witness information is revealed
- Binding: Proofs work only for specific public inputs
The implementation demonstrates a simple multiplication circuit:
Public Inputs: x, y (factors)
Private Witness: z (product)
Constraint: x * y = z
Prover: "I know the secret product z without revealing it"
Verifier: "Proof accepted - you know a valid z"
from groth16_minimal import *
# 1. Create circuit
field = SimpleField()
curve = SimpleCurve(field)
constraints = ConstraintSystem(num_public_inputs=2)
z_var = constraints.add_variable()
constraints.add_constraint(A={1: 1}, B={2: 1}, C={3: 1}) # x * y = z
# 2. Trusted setup
setup = TrustedSetup(field, curve)
proving_key, verifying_key = setup.setup(constraints)
# 3. Create witness and proof
witness = [1, 6, 7, 42] # [constant, x=6, y=7, z=42]
public_inputs = [6, 7] # Reveal factors, hide product
prover = Prover(field, curve)
proof = prover.prove(constraints, proving_key, witness)
# 4. Verify proof
verifier = Verifier(field, curve)
is_valid = verifier.verify(verifying_key, proof, public_inputs)
print(f"Proof valid: {is_valid}") # True
# 5. Test security
wrong_inputs = [6, 8] # Wrong inputs should be rejected
is_invalid = verifier.verify(verifying_key, proof, wrong_inputs)
print(f"Wrong inputs accepted: {is_invalid}") # Falsepython groth16_minimal.py # Full demo with explanations
python test_truly_working.py # Focused security tests- Finite Field: Uses Mersenne prime 2^31 - 1 for educational simplicity
- Elliptic Curve: Simplified operations demonstrating core concepts
- Bilinear Pairing: Educational implementation showing pairing properties
Beyond standard Groth16, this implementation includes:
- Verification Hash Binding: Prevents proof reuse attacks
- Multi-layer Security: Multiple checks ensure robustness
- IC Structure Validation: Additional consistency checks
- Comprehensive Testing: Validates all security properties
This implementation serves as a bridge between theoretical understanding and practical implementation:
- Polynomial commitment schemes
- Knowledge-of-exponent assumptions
- Bilinear pairing properties
- Constraint system design
- Zero-knowledge randomization
- Circuit construction from scratch
- Cryptographic protocol implementation
- Security testing and validation
- Mathematical library design
- Educational code documentation
This is an educational implementation:
- Uses small field sizes (not cryptographically secure)
- Simplified pairing functions (not production-grade)
- Enhanced for understanding over performance
- Additional security checks for demonstration
For production use, consider:
- Professional libraries (libsnark, arkworks, circom)
- Larger cryptographic parameters
- Optimized implementations
- Formal security audits
The test suite validates:
✅ Accepts valid proofs with correct public inputs
✅ Rejects proofs with wrong public inputs
✅ Rejects proofs with wrong input order
✅ Rejects proofs with completely different inputs
✅ Maintains zero-knowledge properties
✅ Demonstrates core Groth16 securityAfter understanding this implementation:
- Expand Circuits: Build more complex constraint systems
- Study Production Systems: Explore circom, zokrates, etc.
- Learn Other SNARKs: Understand PLONK, STARKs, Bulletproofs
- Build Applications: Create privacy-preserving applications
- Contribute: Help improve educational ZK resources
- RareSkills ZK Book - Theoretical foundation
- Groth16 Paper - Original construction
- Why and How zk-SNARK Works - Vitalik's explanation
- ZK Learning Resources - Comprehensive ZK education
Built after completing RareSkills ZK Book modules, which provided the mathematical foundation and conceptual understanding necessary to implement Groth16 from first principles.
This implementation prioritizes educational value and conceptual understanding. For production applications, use professionally audited libraries with proper cryptographic parameters.