Skip to main content

risc0 Verifier


Statement hash components

  • context: keccak256(b"risc0")
  • vk: vk
  • pubs: keccak256(pubs)

Verifier implementation

That's a zk-STARK proof verifier where the proof proves that some code has executed correctly and generates the associated computation output. The code is attested through an image_id (named verification key in the verification process) and runs inside the risc0-zkVM that provides the proof of execution through a receipt which contains the raw proof and the public inputs (journal in risc0 lingo) for the verification process.

  • verify_proof() uses risc0-verifier crate to deserialize the proof and public inputs and then verify them against the given verification key.

  • Define the following types:

    pub type Proof = Vec<u8>;
    pub type Pubs = Vec<u8>;
    pub type Vk = H256;

    The format for these components is:

    • Proof: The risc0's InnerProof serialized by bincode::serialize.
    • Pubs Public inputs: The risc0's Journal serialized by bincode::serialize.
    • Vk Verification key: a bytes array of length 32; the conversion from a risc0 image_id (an integer array of length 8) must be big-endian.
  • hash context data is b"risc0"

  • the pubs bytes are the input ones

  • vk_hash() just forward the given verification key and vk_bytes() should never be called: in this case we cannot know the verification key preimage.


In this pallet it doesn't make sense to register any verification key, because the verification key hash function vk_hash() is the identity.


The pallet uses risc0-verifier crate to deserialize the proof and public inputs and then verify them. The pallet's duties are summarized in the following code snippet:

assert!(risc0_verifier::verify(vk, &proof, &pubs).is_ok());

The submitProof exstrinsic can fail both if it's not possible to deserialize the proof or public inputs (InvalidProofData, InvalidInput) or if the proof doesn't verify (VerifyError).