Arkworks circuits for verifiable time-lock encryption

Overview

zk-timelock

This repo contains arithmetic circuits for verifiable time-lock encryption made using arkworks-rs toolkit. For more details on such an encryption scheme see drand/tlock (Go) and timoth-y/tlock-rs (Rust) repos.

Overview

The algorithm implemented here is the Boneh-Franklin's [1] identity-based encryption (IBE) (see Rust code here). The main challenge with translating this scheme into an arithmetic circuit comes from the heavy use of target group (pairing product) operations, specifically gt on fr multiplication.

All operations must be projected on top of the BLS12-381, as this is the only curve currently supported by the drand threshold network. This poses a problem as there is no commonly known pairing-friendly curve whose scalar field equals the base field of BLS12-381, which is needed for efficient KZG-based SNARKs.

There are multiple ways to tackle mentioned problems:

  1. Change projective curve (e.g. BLS12-377 [2] that can be embedded into BW6-761 [3])
    • trade-off: requires changes to the drand protocol.
  2. Simulate BLS12-381 using non-native arithmetic
    • trade-off: huge performance overhead.
  3. Find an application-specific curve that could embed BLS12-381 base field
    • trade-off: such curves would have low FFT space, but we can leverage Gemini [4] proving system to handle such brittle fields.
  4. Use Halo2 proving system that defers all the pairings to the very end (i.e. accumulators), this makes nonnative operations cheaper
    • trade-off: dev tools to construct a halo2 circuit are currently lacking.

For the sake of experiments, this repo provides circuits for the first three approaches. For the third approach, it also introduces YT6-776 - an application-specific curve that embeds BLS12-381's base field. See details about it here.

Circuits

  • Circuit<E: Pairing, P: Bls12Parameters>: a generic-curve circuit with native arithmetic only. Can be proved using the Groth16 system with BLS12-377/BW6-671 curve combination.
  • NonnativeCircuit<C: CurveGroup>: a circuit that simulates BLS12-381 base fields using non-native arithmetic. Can be proved by using the Groth16 system with any projective/pairing curves combination (also BLS12-377/BW6-671 here.
  • GeminiNativeCircuit: a modified native that (currently) comes without input variables (see this issue for details). Can be proved using the Gemini system with a BLS12-381/YT6-776 curve combination.

Benchmarks

The experimental results can be found on BENCHMARKS.md.

Usage

To perform benchmarks on your machine run cargo bench command.

For examples of each circuit usage see benches/ibe_benchmark.rs.

Acknowledgements

I greatly thank Weikeng Chen for sharing method of creating application-specific curves [5] and all the helpful discussions about it.

References

You might also like...
A cryptographically verifiable code review system for the cargo (Rust) package manager.
A cryptographically verifiable code review system for the cargo (Rust) package manager.

A cryptographically verifiable code review system for the cargo (Rust) package manager.

As part of the IOP Stack™ Morpheus is a toolset to have gatekeeper-free identity management and verifiable claims as a 2nd layer on top of a blockchain

Internet of People Internet of People (IoP) is a software project creating a decentralized software stack that provides the building blocks and tools

Experiments on blockchain technology (also known as Hashed & Zero-trust Verifiable Linked List)

AngeloChain Experiments on blockchain technology (also known as Hashed & Zero-trust Verifiable Linked List) ⚠️ Before We Get Started Before we get sta

RISC Zero is a zero-knowledge verifiable general computing platform based on zk-STARKs and the RISC-V microarchitecture.

RISC Zero WARNING: This software is still experimental, we do not recommend it for production use (see Security section). RISC Zero is a zero-knowledg

Audit Cargo.lock files for dependencies with security vulnerabilities

RustSec Crates 🦀 🛡️ 📦 The RustSec Advisory Database is a repository of security advisories filed against Rust crates published via crates.io. The a

A contract to lock fungible tokens with a given vesting schedule including cliffs.

Fungible Token Lockup contract Features A reusable lockup contract for a select fungible token. Lockup schedule can be set as a list of checkpoints wi

rabe is an Attribute Based Encryption library, written in Rust

Rabe rabe is a rust library implementing several Attribute Based Encryption (ABE) schemes using a modified version of the bn library of zcash (type-3

WebAssembly wrapper of the rage encryption library

rage-wasm: WebAssembly wrapper of rage rage is a simple, modern, and secure file encryption tool, using the age format. It features small explicit key

A Rust library for lattice-based additive homomorphic encryption.

Cupcake Cupcake is an efficient Rust library for the (additive version of) Fan-Vercauteren homomorphic encryption scheme, offering capabilities to enc

Comments
  • error in running Benchmarks

    error in running Benchmarks

    hi, thanks for your great work, when running benchmarks, I encounter the following errors, could you help to take a look? thanks

    (1) no "sync-algebra" branch, see the following error info image

    (2) for error (1), so I modify the reference branch to "master", however, meet new compile error, image image

    my pc env is Mac os with M1 chip, thanks.

    opened by xichan-ms 1
  • Better curve than Yeti?

    Better curve than Yeti?

    Hey! how about this BW6-767 curve defined over the scalar field of BLS12-381?

    • blog post: https://ethresear.ch/t/bw6-over-bls12-381/10321
    • code: https://github.com/yelhousni/gnark-crypto/tree/feat/bw6_on_bls12-381/ecc/bw6-767

    It is on 12 machine words instead of 13 (with one spare bit for couple of optims) + it has parameters in polynomial form allowing fast implementation.

    opened by yelhousni 2
Owner
Timofey
Researcher. Developer. Passionate about cryptography, distributed computing, self-hosting, and digital art
Timofey
Rust library for practical time-lock encryption using `drand` threshold network

tlock-rs: Practical Timelock Encryption/Decryption in Rust This repo contains pure Rust implementation of drand/tlock scheme. It provides time-based e

Timofey 32 Jan 8, 2023
Authenticated Encryption with Associated Data Algorithms: high-level encryption ciphers

RustCrypto: Authenticated Encryption with Associated Data (AEAD) Algorithms Collection of Authenticated Encryption with Associated Data (AEAD) algorit

Rust Crypto 457 Jan 4, 2023
R1cs-tutorial - Tutorial for writing constraints in the `arkworks` framework

Introduction to SNARK Development with `arkworks` In this tutorial, we will learn how to write applications for use with state-of-the-art zkSNARKs usi

arkworks 113 Dec 29, 2022
A basic implementation of Yao's Garbled Circuits

yao-gc This is a rudimentary implementation of Yao's Garbled Circuits. This is a technique which allows two parties to evaluate a boolean function on

Lúcás Meier 21 Nov 23, 2022
Thaler's Proofs, Args, and ZK Implemented in Rust using arkworks

rthaler • Dr. Thaler's book Proofs, Args, and ZK implemented in rust using the arkworks cryptographic rust toolset. Various Zero Knowledge Protocols a

null 4 Jun 19, 2022
🛠️ Uses zkevm-circuits and anvil mainnetfork to prove that a tx solves an EVM challenge

zk-proof-of-evm-execution This is a PoC developed at hackathon that enables a user to prove that they know some calldata that can solve a challenge on

soham 9 Mar 29, 2023
Uses Plonky2 proof system to build recursive circuits for Merkle Trees.

ProvableMerkleTrees Introduction This repo provides Rust code to build Merkle Trees, equipped with a Provable interface to generate Zero Knowledge pro

null 5 Aug 18, 2023
Implements ERC-5564 for the bn254 curve using arkworks-rs

erc-5564-bn254 Uses the arkworks-rs suite of libraries, and utilities from rln Usage Note: this scheme should be used with the fork of circom-rln. use

Aaryamann Challani 21 Sep 8, 2023
Implementation of zero-knowledge proof circuits for Tendermint.

Tendermint X Implementation of zero-knowledge proof circuits for Tendermint. Overview Tendermint X's core contract is TendermintX, which stores the he

Succinct 3 Nov 8, 2023
A distributed, cryptographically-verifiable blog / social network

FeoBlog FeoBlog is a distributed blogging platform. It takes a lot of its inspiration from Mastodon and Scuttlebutt. It aims to solve a couple of prob

Cody Casterline 71 Dec 11, 2022