Cryptographic Security Model
RISC Zero is proud to offer an end-to-end solution for verifiable computation. Users can generate proofs for correct execution of software code using the RISC Zero zkVM, and they can verify those proofs on-chain using our permissionless verifier contract on Ethereum networks such as Sepolia.
The rest of this document offers an overview of the security model for applications that rely on RISC Zero's tooling.
RISC Zero offers the following components, each of which is ready for use on testnet.
Overview of Components
The RISC Zero zkVM and its on-chain dependencies necessary for verifying proofs on chain, can be described as the following five high-level components.
Component Name | Latest Audit | Description |
---|---|---|
cargo risczero tool | 10/31/2023↗ | Compiles user-written Rust code into RISC-V ELF binaries deterministically |
RISC-V Prover | 10/31/2023↗ | Executes and proves execution of ELF binaries produced by the cargo risczero tool |
Recursion Prover | 10/31/2023↗ | Aggregates proofs from the RISC-V Prover; supports a small number of programs like lift, join, resolve. Each program is identified by a control ID and the full list of allowed programs is identified in control root. |
STARK-to-SNARK Prover | 05/20/2024↗ | Verifies STARK proofs from the RISC Zero Recursion Prover, compressing them into a Groth16 SNARK for efficient on-chain verification. The control root is passed to as a public input, allowing for updates to our RISC-V Prover without requiring a new trusted setup ceremony. |
On-chain verifier contracts | 06/05/2024↗ | Verifies Groth16 proofs from the RISC Zero STARK-to-SNARK Prover. The control root is hard-coded into the on-chain verifier contract. Addresses for the on-chain verifier contracts we have deployed are available in our verifier contract documentation, and a detailed description of the options for governance, upgrades, and deprecation are available in our Version Management Design doc. |
Together, these components allow developers to integrate proofs of arbitrary Rust code into their on-chain applications. In order to use these components, developers provide:
- the Rust code for their zkVM guest program.
- a smart contract on-chain whose behavior will depend on the output of the Verifier Contract
RISC Zero technology cannot prevent many types of security issues in user guest programs (e.g. applications) or contracts. It is necessary for zkVM adopters to validate the security of guest programs and contracts. This includes secure development life-cycles and external security auditing by qualified providers.