Towards Fuzzing Zero-Knowledge Proof Circuits (Short Paper)
Stefanos Chaliasos, Imam Al-Fath, Alastair Donaldson
TL;DR
This paper investigates applying fuzzing to zero-knowledge proof (ZKP) circuits, identifying fundamental challenges such as test oracles, witness generation, and performance, and proposing practical strategies including differential testing, invariant-based oracles, and hybrid methods. It demonstrates the approach with a case study on zk-regex (via zk-email workflows), where a grammar-based fuzzer and differential testing against a reference regex implementation uncovered 13 bugs, all confirmed by developers. The work positions fuzzing as a valuable complement to formal verification and static analysis for improving the reliability and security of ZKP circuits, and outlines open problems and future directions to enhance coverage and cross-DSL applicability. Overall, the paper provides a concrete methodology for fuzzing ZKP circuits and presents compelling evidence of its effectiveness in detecting meaningful bugs in real-world ZKP tooling.
Abstract
Zero-knowledge proofs (ZKPs) have evolved from a theoretical cryptographic concept into a powerful tool for implementing privacy-preserving and verifiable applications without requiring trust assumptions. Despite significant progress in the field, implementing and using ZKPs via \emph{ZKP circuits} remains challenging, leading to numerous bugs that affect ZKP circuits in practice, and \emph{fuzzing} remains largely unexplored as a method to detect bugs in ZKP circuits. We discuss the unique challenges of applying fuzzing to ZKP circuits, examine the oracle problem and its potential solutions, and propose techniques for input generation and test harness construction. We demonstrate that fuzzing can be effective in this domain by implementing a fuzzer for \texttt{zk-regex}, a cornerstone library in modern ZKP applications. In our case study, we discovered \textit{$10$} new bugs that have been confirmed by the developers.