[Cryptography] zero knowledge proofs in C++

Jan Carlsson jancarlsson at Safe-mail.net
Wed Dec 24 15:23:27 EST 2014


I built a C++ embedded domain specific language for zkSNARK proofs. The
original motivation was implementing the Zerocash crypto-currency. The EDSL
was designed to support Zerocash. However, as it matured, the language
became an interesting technology on its own.

The EDSL appears imperative but assembles arithmetic circuits. The back-end
is a redesign of the libsnark release from the SCIPR Lab. This gives a
high-level imperative language for ZKP with a compiler (technically a JIT,
although that is stretching semantics) and elliptic curve pairing runtime.

The EDSL is: https://github.com/jancarlsson/snarkfront .
The back-end is: https://github.com/jancarlsson/snarklib .

There are four managed types: Boolean, 128-bit unsigned big integer, 32-bit
and 64-bit unsigned integer words. The usual logical, arithmetic, and
comparison operations are supported. Natural type conversions are allowed.
One-wayness is from SHA-2 (all variants). There is also a binary Merkle
tree implementation compatible with SHA-256 or SHA-512.

Generating a proving/verification key pair for a single SHA-256 compression
function (one 512 bit block) at 128-bit security (using Barreto-Naehrig
elliptic curve) requires about 30 seconds on my laptop and is 55 MB (after
compression with bzip2). Generating a proof is about 10 seconds and 1 KB.
Of course, verification is fast.

I feel the research community is more focused on advanced compiler
development, i.e. "zero knowledge proof cross compiler for C." The EDSL
approach is not seriously considered. Even if this is an interim solution,
the technology may last for quite a while. Compiler development is hard.
The EDSL library approach can get to market much faster and naturally
integrates with technology stacks in use today.


More information about the cryptography mailing list