When we released the ZK Book over a year ago, we took the ZK education space a huge step forward.
Our book pioneered the approach of "just enough math" to learn ZK.
Today we do it again with a new addition to the ZK Book.
"Circom and Constraint Design Patterns"
This new section focuses on how to design, create, and audit non-trivial ZK circuits.
You've probably seen a lot of tutorials about how to prove you know the evaluation of a polynomial using Circom.
But how do you go from there to designing a ZKVM or proving you know the primage of a traditional hash function (like MD5 or Keccak256)?
The new part of our ZK Book takes you on a journey from multiplying to numbers together to:
- building a ZKVM from scratch
- coding constraints for the MD5 hash function
- learn the recurring design patterns in constraint design
The last part was interesting because some of the established "design patterns" don't even have names for them. We had to invent some terminology!
As usual, we are extremely thoughtful about how we introduce the reader to new ideas to avoid overwhelming someone new. We are careful to ensure we teach the prerequisites in a sensible order and with a lot of examples.
Each chapter shows how to build a circuit for an increasingly complex application. With each chapter, you both review what you learned previously and learn a new design pattern.
Once you build up a collection of these design patterns, you can compose them together to build more complex applications, like the ZKVM or a non-trivial hash function.
We put a huge effort into making sure that the material is both easy to understand and correct without any important omissions.
We'd like to thank @ChainLight_io, @VeridiseInc, @PrivacyScaling, and @zksecurityXYZ for allocating time to review this work and provide suggestions.
We are particularly grateful to @marcobesier from @zksecurityXYZ for working through several revisions to really get the chapters into a polished state.
Special shoutout to @cal_nix for coauthoring the first seven chapters in this new part of the book!
The topics we cover here are extremely fundamental. If you don't understand the materials here, learning the internals of more modern ZKVM or ZK L2 client will be quite challenging. Up until now, the absence of newcomer-oriented explanations for such foundational concepts has held the ZK space back.
This new body of work isn't simply a "better explanation" of existing materials, but the first explanation at all -- outside of academic papers.
We use Circom as the language of instruction since we consider it the most beginner-friendly. However, what you learn here generalizes to other frameworks like Plonky3, Halo2, o1js, and Gnark. The new articles now make the ZK Book over 38,000 words longer.
You do not have to know how a ZK-SNARK works to read this section of the book, but there are a few prerequisites. These are listed in the "Introduction to Circom" chapter.
As usual, the material is completely free with no login required.