proof_system 0.10.0

Proof system to comprise various cryptographic primitives
Documentation

proof_system

The goal of this crate is to allow creating and combining zero knowledge proofs by executing several protocols as sub-protocols. The idea is to represent each relation to be proved as a Statement, and any relations between Statements as a MetaStatement. Both of these types contain public (known to both prover and verifier) information and are contained in a ProofSpec whose goal is to unambiguously define what needs to be proven. The prover then uses a Witness per Statement and creates a StatementProof per Statement. All StatementProofs are grouped together in a Proof and the verifier then uses the ProofSpec and Proof to verify the proof. Currently it is assumed that there is one StatementProof per Statement and one Witness per Statement and StatementProofs appear in the same order in Proof as Statements do in ProofSpec. Statement, Witness and StatementProof are enums whose variants will be entities from different protocols. Each of these protocols are variants of the enum SubProtocol.

Currently supports

  • proof of knowledge of a BBS+ signature and signed messages
  • proof of knowledge of multiple BBS+ signature and equality of certain messages
  • proof of knowledge of accumulator membership and non-membership
  • proof of knowledge of Pedersen commitment opening.
  • proof of knowledge of a BBS+ signature and certain message satisfies given bounds (range proof)
  • verifiable encryption of messages in a BBS+ signature

See following tests for examples:

  • test pok_of_3_bbs_plus_sig_and_message_equality proves knowledge of 3 BBS+ signatures and also that certain messages are equal among them without revealing them.
  • test pok_of_bbs_plus_sig_and_accumulator proves knowledge of a BBS+ signature and also that certain messages are present and absent in the 2 accumulators respectively.
  • test pok_of_knowledge_in_pedersen_commitment_and_bbs_plus_sig proves knowledge of a BBS+ signature and opening of a Pedersen commitment.
  • test requesting_partially_blind_bbs_plus_sig shows how to request a blind BBS+ signature by proving opening of a Pedersen commitment.
  • test verifier_local_linkability shows how a verifier can link separate proofs from a prover (with prover's permission) and assign a unique identifier to the prover without learning any message from the BBS+ signature. Also this identifier cannot be linked across different verifiers (intentional by the prover).
  • test pok_of_bbs_plus_sig_and_bounded_message shows proving knowledge of a BBS+ signature and that a specific message satisfies some upper and lower bounds i.e. min <= signed message <= max. This is a range proof.
  • test pok_of_bbs_plus_sig_and_verifiable_encryption shows how to verifiably encrypt a message signed with BBS+ such that the verifier cannot decrypt it but still ensure that it is encrypted correctly for the specified decryptor.

Note: This design is largely inspired from my work at Hyperledger Ursa.

Note: The design is tentative and will likely change as more protocols are integrated.

License: Apache-2.0