The library is not ready for production use!
Implements various RSA-based protocols from the Zero-Knowledge Proofs for Set Membership: Efficient, Succinct, Modular paper.
It implements the following protocols:
- CPMemRSA - RSA-based set membership.
- CPNonMemRSA - RSA-based set non-membership.
The protocols are composed out of the following subprotocols:
- root - shows a committed element exists in an accumulator.
- coprime - shows a committed element does not exist in an accumulator.
- modeq - shows an integer commitment and a Pedersen commitment contain the same value.
- hash_to_prime - a number of protocols that perform a range proof or hash-to-prime and output a commitment:
- snark_range - LegoGroth16-based range proof.
- snark_hash - Bulletproofs-based range proof.
- bp - LegoGroth16-based hash-to-prime proof.
The following commands assume you have a recent stable Rust toolchain installed, e.g. 1.42.0. The Bulletproofs implementation also requires a nightly toolchain.
To run the tests for membership and non-membership protocols on BLS12-381, run cargo test --release.
To run the tests for membership and non-membership protocols on Ristretto, run cargo +nigthly test --release --no-default-features --features dalek.
The library contains a number of benchmarks:
- membership_prime - benchmarks RSA-based set membership when the elements are prime with a LegoGroth16 range proof.
- membership_prime_60 - benchmarks RSA-based set membership when the elements are prime and are also small (around 60 bits) with a LegoGroth16 range proof.
- membership_bp - benchmarks RSA-based set membership when the elements are prime with a Bulletproofs range proof.
- membership_bp_60 - benchmarks RSA-based set membership when the elements are prime and are also small (around 60 bits) with a Bulletproofs range proof.
- membership_hash - benchmarks RSA-based set membership when the elements are not prime and a Blake2s-based hash-to-prime is performed.
- membership_class - benchmarks class groups-based set membership when the elements are prime with a LegoGroth16 range proof. This is slow and experimental and the paper doesn't prove its security.
- nonmembership_prime - benchmarks RSA-based set non-membership when the elements are prime with a LegoGroth16 range proof.
- nonmembership_bp - benchmarks RSA-based set non-membership when the elements are prime with a Bulletproofs range proof.
- nonmembership_hash - benchmarks RSA-based set non-membership when the elements are not prime and a Blake2s-based hash-to-prime is performed.
To run benchmarks for the protocols with SNARKs use cargo bench and for the protocols with Bulletproofs use cargo bench --no-default-features --features dalek.
We've implemented LegoGroth16 on top of Zexe library.
We've modified the Cambrian Tech's accumulator library. The modified version is available here.
We've modifies librustzcash to get benchmarks for Merkle tree-based membership proofs. The modified version is available here. To run the benchmarks use cargo run --release --example merkle_sha for SHA256-based trees and cargo run --release --example merkle_pedersen for Pedersen hash-based trees.
This code is licensed under either of the following licenses, at your discretion.
Unless you explicitly state otherwise, any contribution that you submit to this library shall be dual licensed as above (as defined in the Apache v2 License), without any additional terms or conditions.
Zero-Knowledge Proofs for Set Membership: Efficient, Succinct, Modular
Daniel Benarroch, Matteo Campanelli, Dario Fiore, Kobi Gurkan, Dimitris Kolonelos.