Verifiable Provenance of Software Artifacts with Zero-Knowledge Compilation

TL;DR

This paper introduces a zero-knowledge proof system for software provenance, enabling verification that a binary was compiled from specific source code without revealing the source, enhancing security and trust.

Contribution

It presents a novel zkVM-based approach for verifiable compilation, providing cryptographic proofs of source-to-binary provenance that are practical for real-world software.

Findings

Successfully verified 200 synthetic programs and real-world source files.

Blocked all tested adversarial attacks including substitution and tampering.

Demonstrated applicability to complex software like OpenSSL and libsodium.

Abstract

Verifying that a compiled binary originates from its claimed source code is a fundamental security requirement, called source code provenance. Achieving verifiable source code provenance in practice remains challenging. The most popular technique, called reproducible builds, requires difficult matching and reexecution of build toolchains and environments. We propose a novel approach to verifiable provenance based on compiling software with zero-knowledge virtual machines (zkVMs). By executing a compiler within a zkVM, our system produces both the compiled output and a cryptographic proof attesting that the compilation was performed on the claimed source code with the claimed compiler. We implement a proof-of-concept implementation using the RISC Zero zkVM and the ChibiCC C compiler, and evaluate it on 200 synthetic programs as well as 31 OpenSSL and 21 libsodium source files. Our results show that zk-compilation is applicable to real-world software and provides strong security guarantees: all adversarial tests targeting compiler substitution, source tampering, output manipulation, and replay attacks are successfully blocked.