Generating Proofs

Generating a proof using the CLI is simple - first generate a key, then generate your proof. Using command defaults, this looks like:

cargo openvm keygen --app-only  # generate proving and verification keys for app proofs
cargo openvm prove app          # generate the app proof
 
cargo openvm setup              # generate internal-recursive aggregation key
cargo openvm keygen             # generate app keys and aggregation prefix key
cargo openvm prove stark        # generate the STARK proof
 
cargo openvm setup --evm        # generate aggregation and EVM proving keys
cargo openvm keygen             # generate app keys and aggregation prefix key
cargo openvm prove evm          # generate the EVM proof

Note that if your program takes inputs, you will have to pass them to the cargo openvm prove command using the --input option.

Application Key Generation

The keygen command generates both an application proving and verification key.

cargo openvm keygen --config <path_to_app_config>

Similarly to build, run, and prove, options --manifest-path, --target-dir, and --output-dir are provided.

If --config is not specified, the command will search for openvm.toml in the manifest directory. If the file isn't found, a default configuration will be used.

The proving key, verification key, and aggregation prefix proving key will be written to ${target-dir}/../openvm/ (by default ./openvm/), and also to --output-dir if specified. Use --app-only to skip generating the aggregation prefix key, which is only needed for STARK and EVM proving.

Generating App Commitments

Once you have built the guest program and run cargo openvm keygen, you can extract commitments to the program binary and the VM configuration using the following CLI command:

cargo openvm commit
    --app-pk <path_to_app_pk>
    --agg-prefix-pk <path_to_agg_prefix_pk>
    --exe <path_to_transpiled_program>

This generates two files in ${target-dir}/../openvm/${profile}/ (and --output-dir if specified):

*.commit.json — contains the BN254 commitments for EVM proof public value verification:
- app_exe_commit: A commitment to the OpenVM program binary.
- app_vm_commit: A commitment to the OpenVM configuration.
*.baseline.json — contains the full verification baseline used by cargo openvm verify stark, including the exe commit, memory dimensions, and all aggregation VK commits.

If --app-pk or --agg-prefix-pk are not provided, the command will search for them at ${target-dir}/../openvm/app.pk and ${target-dir}/../openvm/agg_prefix.pk respectively. If --exe is not provided, the command will call build before generating the commits. Many of the Cargo options available to cargo openvm run are available to commit too, for more information on the available options see Run Flags.

STARK and EVM Key Generation

The setup command generates proving and verification keys for STARK aggregation and EVM proofs.

cargo openvm setup [--evm]

If called without the --evm flag, it writes the internal-recursive aggregation proving key used by cargo openvm prove stark and cargo openvm verify stark. If called with the --evm flag, it also writes the root proving key, downloads Halo2 parameters, and generates or downloads the Solidity verifier artifacts used by the EVM flow.

Details on EVM Verification

In addition to writing the proving keys needed by the CLI, cargo openvm setup --evm also generates a smart contract verifier for EVM chains. Upon a successful run, the command will write the files

internal_recursive.pk
root.pk
halo2/src/[OPENVM_VERSION]/Halo2Verifier.sol
halo2/src/[OPENVM_VERSION]/OpenVmHalo2Verifier.sol
halo2/src/[OPENVM_VERSION]/interfaces/IOpenVmHalo2Verifier.sol
halo2/src/[OPENVM_VERSION]/verifier.bytecode.json
params/

to ~/.openvm/, where ~ is the directory specified by environment variable $HOME and OPENVM_VERSION is the version of OpenVM. Every command that requires these files will look for them in this directory. The smart contract verifier is also available via the OpenVM Solidity SDK for released versions of OpenVM.

The file internal_recursive.pk is the proving key for the internal-recursive aggregation layer. The file root.pk is the proving key for the root layer used during EVM proof generation. The params directory contains various trusted setup KZG parameters needed to guarantee Halo2's cryptographic security. The OpenVmHalo2Verifier.sol file contains a Solidity contract to verify the final EVM proof. The contract is named OpenVmHalo2Verifier and it implements the IOpenVmHalo2Verifier interface.

IOpenVmHalo2Verifier.sol

interface IOpenVmHalo2Verifier {
    function verify(bytes calldata publicValues, bytes calldata proofData, bytes32 appExeCommit, bytes32 appVmCommit)
        external
        view;
}

In addition, the command outputs a JSON file verifier.bytecode.json of the form

verifier.bytecode.json

{
    "sol_compiler_version": "0.8.19",
    "sol_compiler_options": "..",
    "bytecode": ".."
}

where sol_compiler_version is the Solidity compiler version used to compile the contract (currently 0.8.19), sol_compiler_options are additional compiler options used, and bytecode is the compiled EVM bytecode as a hex string (without the 0x prefix).

To download pre-built verifier artifacts from S3 instead of generating them locally, use the --download flag:

cargo openvm setup --evm --download

This downloads the Solidity verifier contract and bytecode for the current OpenVM version, avoiding the need to have solc installed or to run the local generation step.

Proof Generation

The prove CLI command, at its core, uses the options below. prove gets access to all of the options that run has (see Running a Program for more information).

cargo openvm prove <app | stark | evm>
    --app-pk <path_to_app_pk>
    --exe <path_to_transpiled_program>
    --input <path_to_input>
    --proof <path_to_proof_output>

If --app-pk is not provided, the command will search for a proving key at ${target-dir}/../openvm/app.pk. The stark and evm subcommands also require aggregation proving artifacts from cargo openvm keygen and cargo openvm setup.

If --exe is not provided, the command will call build before generating a proof.

If your program doesn't require inputs, you can (and should) omit the --input flag.

If --proof is not provided then the command will write the proof to ./${bin_name}.<app | stark | evm>.proof by default, where bin_name is the file stem of the executable run.

The app subcommand generates an application-level proof, the stark command generates an aggregated root-level proof, while the evm command generates an end-to-end EVM proof. For more information on aggregation, see the specification. See Verifying EVM Proofs for details on the output format for cargo openvm prove evm.