## Cryptology ePrint Archive: Report 2019/1255

Zero-Knowledge Proofs for Set Membership: Efficient, Succinct, Modular

Daniel Benarroch and Matteo Campanelli and Dario Fiore and Kobi Gurkan and Dimitris Kolonelos

Abstract: We consider the problem of proving in zero knowledge that an element of a public set satisfies a given property without disclosing the element, i.e., for some $u$, $u \in S$ and $P(u)$ holds''. This problem arises in many applications (anonymous cryptocurrencies, credentials or whitelists) where, for privacy or anonymity reasons, it is crucial to hide certain data while ensuring properties of such data. We design new \textit{modular} and \textit{efficient} constructions for this problem through new \textit{commit-and-prove zero-knowledge systems for set membership}, i.e. schemes proving $u \in S$ for a value $u$ that is in a public commitment $c_u$. We also extend our results to support {\em non-membership proofs}, i.e. proving $u \notin S$. Being commit-and-prove, our solutions can act as plug-and-play modules in statements of the form $u \in S$ and $P(u)$ holds'' by combining our set (non-)membership systems with any other commit-and-prove scheme for $P(u)$. Also, they work with Pedersen commitments over prime order groups which makes them compatible with popular systems such as Bulletproofs or Groth16. We implemented our schemes as a software library, and tested experimentally their performance. Compared to previous work that achieves similar properties---the clever techniques combining zkSNARKs and Merkle Trees in Zcash---our solutions offer more flexibility, shorter public parameters and $3.7 \times$--$30\times$ faster proving time for a set of size $2^{64}$.

Category / Keywords: cryptographic protocols / public-key cryptography, zero knowledge, applications

Original Publication (with minor differences): Financial Cryptography and Data Security 2021

Date: received 27 Oct 2019, last revised 26 Feb 2021

Contact author: matteo campanelli at gmail com, dimitris kolonelos at imdea org

Available format(s): PDF | BibTeX Citation

Short URL: ia.cr/2019/1255

[ Cryptology ePrint archive ]