A zero-knowledge (ZK) proof guarantees that the result of a computation is correct while keeping part of the computation details private. Some ZK proofs are tiny and can be verified in short time, which makes them one of the most promising technologies for solving two key aspects: the challenge of enabling privacy to public and transparent distributed ledgers and, enhancing the scalability limitations of distributed ledgers. Most practical ZK systems require the computation to be expressed as an arithmetic circuit that is encoded as a set of equations called rank-1 constraint system (R1CS).
In this paper, we present \circom, a programming language and a compiler for designing arithmetic circuits that are compiled to R1CS. More precisely, with \circom, programmers can design arithmetic circuits, and the compiler outputs (i) a file with the R1CS description, (ii) \wasm and \cpp programs to efficiently compute all values of the circuit. We also provide an open-source library called \circomlib, with multiple circuit templates. Moreover, \circom can be complemented with \snarkjs, a tool for generating and validating ZK proofs from R1CS. Altogether, our software tools abstract the complexity of the proving mechanisms and provide a friendly interface to model low-level descriptions of arithmetic circuits.