Lib.rs

Cryptography
#elliptic-curve #schnorr #signature #proof-of-knowledge #zk-po-k #proof-of-equality #proof-of-inequality

no-std schnorr_pok

Schnorr, Okamoto, Chaum-Pedersen protocols for proof of knowledge, equality and inequality of one or more discrete logs. Working in elliptic curve and pairing groups

by Lovesh Harchandani and 3 contributors

21 breaking releases

0.22.0 Feb 24, 2025
0.21.0 Dec 19, 2024
0.20.0 Jul 18, 2024
0.17.0 Mar 4, 2024
0.5.0 Nov 5, 2021

#474 in Cryptography

Download history 325/week @ 2024-11-17 194/week @ 2024-11-24 87/week @ 2024-12-01 77/week @ 2024-12-08 209/week @ 2024-12-15 29/week @ 2024-12-22 34/week @ 2024-12-29 46/week @ 2025-01-05 82/week @ 2025-01-12 108/week @ 2025-01-19 129/week @ 2025-01-26 102/week @ 2025-02-02 119/week @ 2025-02-09 216/week @ 2025-02-16 249/week @ 2025-02-23 93/week @ 2025-03-02

685 downloads per month
Used in 14 crates (12 directly)

Apache-2.0

270KB
6K SLoC

Various Sigma protocols

The crate's name is schnorr_pok, but it implements several Sigma protocols.

Proof of knowledge of a discrete log using Schnorr protocol and similar proof of knowledge for the opening of a Pedersen commitment in discrete_log.

Protocol for proving knowledge of opening of a generalized Pedersen commitment (C = G * a + H * b + J * c + ...) in pok_generalized_pedersen

Proof of knowledge of discrete log in pairing groups, i.e. given prover and verifier both know (A1, Y1), and prover additionally knows B1, prove that e(A1, B1) = Y1. Similarly, proving e(A2, B2) = Y2 when only prover knows A2 but both know (B2, Y2). See discrete_log_pairing.

Proof of inequality of discrete log (a value committed in a Pedersen commitment), either with a public value or with another discrete log in Inequality. eg. Given a message m, its commitment C = G * m + H * r and a public value v, proving that mv. Or given 2 messages m1 and m2 and their commitments C1 = G * m1 + H * r1 and C2 = G * m2 + H * r2, proving m1m2

Also implements the proof of inequality of discrete log when only one of the discrete log is known to the prover in Inequality. i.e. given Y = G * x and Z = H * k, prover and verifier know G, H, Y and Z and prover additionally knows x but not k.

Following sigma protocols are for product, square and inverse of a discrete log in Product:

  • Proving product relation among values committed in a Pedersen commitment
  • Proving square relation among values committed in a Pedersen commitment
  • Proving inverse relation among values committed in a Pedersen commitment

Also implements partial Schnorr proof where response for some witnesses is not generated. This is useful when several Schnorr protocols are executed together, and they share some witnesses. The response for the common witnesses will be generated in one Schnorr proof while the other protocols will generate partial Schnorr proofs where responses for common witnesses will be missing. This means that duplicate Schnorr responses for the common witnesses are not generated.

In all the protocols, the prover follows the pattern of init, challenge_contribution and gen_proof which correspond to the 3 steps of the Sigma protocol with the verifier challenge generated with Fiat-Shamir. challenge_contribution adds that protocol's generated public commitments to the transcript. The verifier also has its own challenge_contribution to add the public commitments to the transcript.

More documentation for each protocol is in their corresponding module.

Dependencies

~6–14MB
~176K SLoC