ZKScope is a static analyzer for Circom circuits, focused on privacy leakage detection in zero-knowledge applications. It builds on the AST and program-structure infrastructure inherited from Circomspect, and extends it with ZKScope's leakage analysis and evaluation workflow.
Build the project from source:
cargo build --releaseInstall the command locally:
cargo install --path cliAnalyze a circuit or a directory of circuits:
zkscope path/to/circuitBy default, ZKScope prints warnings and errors to stdout. Use --level to include informational results, --allow to suppress selected report IDs, and --verbose to show report IDs and additional details.
ZKScope supports the same curves as Circom: BN254, BLS12-381, and Goldilocks. Use --curve to select a non-default curve.
For privacy-leakage evaluation from a main component while respecting Circom public input declarations, use:
zkscope --mode main path/to/circuit.circomThe --ccig-variant flag selects the leakage-analysis variant used in the paper experiments.
ZKScope keeps the original Circom static-analysis checks and adds privacy-oriented leakage inference. The inherited checks are documented in doc/analysis_passes.md.
The evaluation/ directory contains the dataset, scripts, raw outputs, comparison summaries, and manual audits used in the ZKScope paper evaluation.
The artifact is organized into four parts:
| Part | Location | Contents |
|---|---|---|
| Dataset | evaluation/evaluation_projects, evaluation/evaluation_projects_repo_urls.txt | The repository URL list and extracted .circom files analyzed in the evaluation. |
| Source Code | cli, parser, program_analysis, program_structure, circom_algebra, evaluation/tools | The ZKScope implementation and scripts for running the analysis and rebuilding result tables. |
| Evaluation Results | evaluation/evaluation_results | Raw outputs from the full pipeline, ablation variants, the V-Replica baseline, and comparison summaries used to derive aggregate paper results. |
| Audit Results | evaluation/audit, evaluation/audit_details | Manual audit records used to validate reported leakages and classify confirmed leakages. |
The main result files in evaluation/evaluation_results are:
full.csv/full.txt: the full ZKScope pipeline, including CCIG construction with compositional sub-circuit expansion, Phase I forward information flow over computation edges, and Phase II worklist-driven fixed-point leakage inference over constraint edges.no_unroll_conservative.csv/no_unroll_conservative.txtandno_unroll_aggressive.csv/no_unroll_aggressive.txt: no-composition ablations. During CCIG construction, sub-circuits outside the known-library set are treated as opaque boundaries, so information propagation and leakage inference cannot trace through expanded sub-circuit structure.single_pass.csv/single_pass.txt: the single-pass ablation. Phase II evaluates each constraint edge once without revisiting it, disabling fixed-point iteration and isolating the effect of iterative cascading-leakage inference.vanguard_lite.csv/vanguard_lite.txt: the V-Replica baseline, a replica of Veridise's documented Private Input Leakage analysis. It performs per-template witness-flow tracking with whitelisting for standardcircomlibcryptographic primitives and reports its native constraint-leakage and dataflow-leakage categories.
Comparison artifacts are stored next to the raw outputs:
compare_all_summary.csv: aggregate comparison across variants.compare_all_differences.csv: per-case differences between variants.compare_all_exclusive_findings.csv: findings reported by only one variant.compare_all_report.md: human-readable comparison report.paper_results_summary.csvandpaper_results_tp_mapping.csv: paper-facing summary tables and true-positive mappings.
See evaluation/README.md and evaluation/tools/README_Evaluation.md for the artifact map and reproduction commands.