Paper 2022/756

Curve Trees: Practical and Transparent Zero-Knowledge Accumulators

Matteo Campanelli, Protocol Labs
Mathias Hall-Andersen, Aarhus University
Simon Holmgaard Kamp, Aarhus University

In this work we improve upon the state of the art for practical zero-knowledge for set membership, a building block at the core of several privacy-aware applications, such as anonymous payments, credentials and whitelists. This primitive allows a user to show knowledge of an element in a large set without leaking the specific element. One of the obstacles to its deployment is efficiency. Concretely efficient solutions exist, e.g., those deployed in Zcash Sapling, but they often work at the price of a strong trust assumption: an underlying setup that must be generated by a trusted third party. To find alternative approaches we focus on a common building block: accumulators, a cryptographic data structure which compresses the underlying set. We propose novel, more efficient and fully transparent constructions (i.e., without a trusted setup) for accumulators supporting zero-knowledge proofs for set membership. Technically, we introduce new approaches inspired by ``commit-and-prove'' techniques to combine shallow Merkle trees and 2-cycles of elliptic curves into a highly practical construction. Our basic accumulator construction---dubbed Curve Trees---is completely transparent (does not require a trusted setup) and is based on simple and widely used assumptions (DLOG and Random Oracle Model). Ours is the first fully transparent construction that obtains concretely small proof/commitment sizes for large sets and a proving time one order of magnitude smaller than proofs over Merkle Trees with Pedersen hash. For a concrete instantiation targeting 128 bits of security we obtain: a commitment to a set of any size is 256 bits; for $|S| = 2^{40}$ a zero-knowledge membership proof is 2.9KB, its proving takes $2$s and its verification $40$ms on an ordinary laptop. Using our construction as a building block we can design a simple and concretely efficient anonymous cryptocurrency with full anonymity set, which we dub $\mathbb{V}$cash. Its transactions can be verified in $\approx 80$ms or $\approx 5$ms when batch-verifying multiple ($> 100$) transactions; transaction sizes are $4$KB. Our timings are competitive with those of the approach in Zcash Sapling and trade slightly larger proofs (transactions in Zcash Sapling are 2.8KB) for a completely transparent setup.

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. USENIX 2023
snarksaccumulatorzero-knowledgeset membershipanonymous payment systems
Contact author(s)
matteo @ protocol ai
ma @ cs au dk
kamp @ cs au dk
2024-01-29: last of 6 revisions
2022-06-13: received
See all versions
Short URL
Creative Commons Attribution


      author = {Matteo Campanelli and Mathias Hall-Andersen and Simon Holmgaard Kamp},
      title = {Curve Trees: Practical and Transparent Zero-Knowledge Accumulators},
      howpublished = {Cryptology ePrint Archive, Paper 2022/756},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.