web3.path

PHASE 24 proving systems · 18–30 hours

ZK Systems Engineering

A proof only proves the constraints you wrote. The core engineering question is whether those constraints express the intended statement under malicious witness input.

Goal — build a proof-gated claim pipeline, find an underconstraint deliberately, and version every artifact needed to reproduce verification.

1. Statement before circuit

Write the statement in plain language, then list public inputs, private witness values, assumptions, and forbidden states. Example: “The claimant knows a leaf and Merkle path whose root equals root, and nullifier N has not been used.” This is stronger than “the circuit verifies.”

ArtifactMust be versioned
Circuit source and compiler versionconstraint count and build hash
Proving/verifying keyceremony/setup provenance and hash
Witness generatorinput schema and deterministic test vectors
Verifier contractdeployed address, public-input ordering, key hash, upgrade authority
Prover serviceresource limits, queue policy, timeouts, privacy/logging policy

2. Constraint discipline

// Pseudocode: this is unsafe if `enabled` is unconstrained.
out <== enabled * secretHash;

// Constrain the selector and intended relation.
enabled * (enabled - 1) === 0;
out === enabled * Poseidon(secret);

Every signal that affects acceptance must be constrained. Add negative tests for invalid paths, wrong public roots, malformed witnesses, reused nullifiers, wrong field ordering, and alternate witnesses that should be rejected. Use circuit review tooling where available, but manually trace the acceptance condition.

3. System tradeoffs

4. Practical lab — private allowlist claim

Deliverable
  1. Build a Merkle-membership circuit with a private leaf/path and public root/nullifier. The contract rejects an already-consumed nullifier.
  2. Write a test-vector generator and prove/verify valid and invalid cases in CI. Add an intentionally underconstrained circuit; demonstrate a forged claim before correcting it.
  3. Generate verifier artifacts, deploy the verifier to a testnet, and store source hashes, compiler/tool versions, verifier address, and input schema in a manifest.
  4. Run a small prover worker with a bounded queue, input validation, timeouts, metrics, and no witness logging. Benchmark at least three proof sizes.

Lab repo: labs/phase-24-zk/ — starter circuit is deliberately incomplete.

Rule — never treat a “zero knowledge” label as a substitute for product privacy analysis. Public inputs, timing, metadata, logs, wallets, and claims can still identify users.
← Phase 23Phase 25: Bitcoin Wallet Engineering →