#zero-knowledge-proofs #encryption #encryption-decryption #snark #verifiable #groth16 #data

no-std saver

SAVER SNARK-friendly, Additively-homomorphic, and Verifiable Encryption and decryption with Rerandomization

15 breaking releases

0.18.0 Jul 18, 2024
0.16.0 May 10, 2024
0.15.0 Mar 4, 2024
0.14.0 Oct 2, 2023
0.3.0 May 27, 2022

#1736 in Cryptography

Download history 22/week @ 2024-09-15 23/week @ 2024-09-22 27/week @ 2024-09-29 3/week @ 2024-10-06 11/week @ 2024-11-10 37/week @ 2024-11-17 14/week @ 2024-11-24

62 downloads per month
Used in 2 crates (via proof_system)

Apache-2.0

660KB
15K SLoC

saver

Verifiable encryption using SAVER

Implementation based on SAVER. Implemented

The basic idea of the verifiable encryption construction is to split the message to be encrypted (a field element) into small chunks of say b bits and encrypt each chunk in an exponent variant of Elgamal encryption. For decryption, discrete log problem in the extension field (F_{q^k}) is solved with brute force where the discrete log is of at most b bits so 2^b - 1 iterations. The SNARK (Groth16) is used for prove that each chunk is of at most b bits, thus a range proof.

The encryption outputs a commitment in addition to the ciphertext. For an encryption of message m, the commitment psi is of the following form:

psi = m_1*Y_1 + m_2*Y_2 + ... + m_n*Y_n + r*P_2

m_i are the bit decomposition of the original message m such that m_1*{b^{n-1}} + m_2*{b^{n-2}} + .. + m_n (big-endian) with b being the radix in which m is decomposed and r is the randomness of the commitment. eg if m = 325 and m is decomposed in 4-bit chunks, b is 16 (2^4) and decomposition is [1, 4, 5] as 325 = 1 * 16^2 + 4 * 16^1 + 5 * 16^0.

Getting a commitment to the full message from commitment to the decomposition.

To use the ciphertext commitment for equality of a committed message using a Schnorr protocol, the commitment must be transformed to a commitment to the full (non-decomposed) message. This is implemented with ChunkedCommitment and its docs describe the process.

Use with BBS+ signature

See the tests.rs file

License: Apache-2.0

Dependencies

~7–19MB
~213K SLoC