Paper 2024/1841

Verifying Jolt zkVM Lookup Semantics

Carl Kwan, The University of Texas at Austin
Quang Dao, Carnegie Mellon University
Justin Thaler, Georgetown University, a16z crypto research
Abstract

Lookups are a popular way to express repeated constraints in state-of-the art SNARKs. This is especially the case for zero-knowledge virtual machines (zkVMs), which produce succinct proofs of correct execution for programs expressed as bytecode according to a specific instruction set architecture (ISA). The Jolt zkVM (Arun, Setty & Thaler, Eurocrypt 2024) for RISC-V ISA employs Lasso (Setty, Thaler & Wahby, Eurocrypt 2024), an efficient lookup argument for massive structured tables, to prove correct execution of instructions. Internally, Lasso performs multiple lookups into smaller subtables, then combines the results. We present an approach to formally verify Lasso-style lookup arguments against the semantics of instruction set architectures. We demonstrate our approach by formalizing and verifying all Jolt 32-bit instructions corresponding to the RISC-V base instruction set (RV32I) using the ACL2 theorem proving system. Our formal ACL2 model has undergone extensive validation against the Rust implementation of Jolt. Due to ACL2's bit-blasting, rewriting, and developer-friendly features, our formalization is highly automated. Through formalization, we also discovered optimizations to the Jolt codebase, leading to improved efficiency without impacting correctness or soundness. In particular, we removed one unnecessary lookup each for four instructions, and reduced the sizes of three subtables by 87.5\%.

Metadata
Available format(s)
PDF
Category
Applications
Publication info
Preprint.
Keywords
snarklookupsrisc-vzkvmlassojoltformal verificationacl2
Contact author(s)
carlkwan @ utexas edu
qvd @ andrew cmu edu
justin r thaler @ gmail com
History
2024-11-20: last of 2 revisions
2024-11-09: received
See all versions
Short URL
https://ia.cr/2024/1841
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2024/1841,
      author = {Carl Kwan and Quang Dao and Justin Thaler},
      title = {Verifying Jolt {zkVM} Lookup Semantics},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1841},
      year = {2024},
      url = {https://eprint.iacr.org/2024/1841}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.