What is ProveKit?

ProveKit is a zero knowledge Spartan + WHIR based proof system. You write a circuit in Noir; ProveKit compiles it to R1CS, generates WHIR proofs from your inputs, and verifies those proofs from Rust, WebAssembly, mobile, or via a Groth16 outer proof for on-chain settlement.

The problem ProveKit solves

A zero-knowledge proof lets one party (the prover) convince another (the verifier) that a statement is true, without revealing the data that makes the statement true.

A few statements ProveKit can help you prove:

“I am over 18”, without revealing a date of birth.
“I own a passport issued by country X”, without revealing the passport.
“This vote came from a registered voter”, without revealing which voter.
“This off-chain computation produced this result”, without re-running it on-chain.

The workflow is the same shape every time:

Write a circuit in Noir. A small program defining what counts as “true.”
Prepare prover and verifier keys from the compiled circuit.
Prove a specific instance using your real (private) inputs and the prover key.
Verify the proof anywhere using the verifier key and the public inputs.

ProveKit owns steps 2–4 and the runtime that runs them on every platform you ship to. You bring the Noir circuit; ProveKit handles the rest.

What’s in the box

ProveKit is a workspace of focused Rust crates plus tooling. Each piece has one job:

Crate / tool	Job
`provekit-r1cs-compiler`	Lower Noir’s ACIR into R1CS, with specialized handling for Poseidon2, SHA-256 compression, range checks, multi-scalar multiplication.
`provekit-prover`	Solve the witness in layers, commit via Merkle hashing, and produce the WHIR proof via Spartan-style sumcheck.
`provekit-verifier`	Replay the Fiat-Shamir transcript, run sumcheck verification, and bind the public inputs.
`provekit-cli`	The command-line entry point. Subcommands: `prepare`, `prove`, `verify`, plus inspection and recursive-verifier export.
`provekit-wasm`	Browser and Node.js bindings using `wasm-bindgen-rayon` for in-browser parallel proving when `SharedArrayBuffer` is available.
`provekit-ffi`	C ABI for Swift, Kotlin, Python, and any host that can call a shared library. Includes an mmap-backed allocator for mobile circuits that exceed RAM.
`verifier-server`	An Axum HTTP service that downloads artifacts and orchestrates verification with configurable concurrency and timeouts.
`recursive-verifier/`	A Go/gnark module that wraps a ProveKit proof in Groth16 so it can be verified by an EVM contract.
`skyscraper`	A custom BN254 hash engine with SIMD-accelerated field arithmetic.

What makes ProveKit specifically different

No trusted setup. WHIR’s commitment scheme is hash-based. The base proof needs no per-circuit ceremony and no toxic-waste handling. You compile a circuit and ship.
Post-quantum secure base proof. WHIR inherits PQ-security from the chosen hash function (Skyscraper, SHA-256, Keccak, Blake3, or Poseidon2), so its hardness assumptions survive Shor-style attacks. The optional Groth16 wrapper for on-chain settlement uses pairing-based crypto (BN254) and is not post-quantum secure, scope on-chain proofs accordingly.

Before you build

Two pages matter on day one: Artifact lifecycle for how .pkp / .pkv / proof.np are paired and versioned, and Security and trust model for what verification does and doesn’t say about authorization.

A worked picture

The checked-in noir-examples/basic circuit proves you know two field elements that hash (via Poseidon2) to a known commitment:

use dep::poseidon2;

fn main(plains: [Field; 2], result: pub Field) {
    let hash = poseidon2::bn254::hash_2(plains);
    assert(hash == result);
}

plains stays private; only the prover sees it. result is the public input that goes into the proof. A successful verification means the prover knows two field elements that hash to result, and the verifier learns the prover does, without learning plains.

That tiny circuit is the same shape as much bigger ones: identity attestation, set membership, off-chain computation, range proofs. Once you can build, prove, and verify this one, every other circuit follows the same workflow.