A Haskell implementation of the ZKBoo protocol for non-interactive zero-knowledge arguments of boolean circuits.
ZKBoo generates non-interactive zero-knowledge arguments for circuits consisting of addition and multiplication. A special case of this are circuits over ℤ₂, i.e., boolean circuits.
The basic idea behind ZKBoo is to distribute the evaluation of the circuit over three parties. The commitments of the final views are sent to the verifier. The verifier then sends the challenge to the prover which reveals the two views specified by the challenge. To reduce the soundness error, multiple rounds of this protocol are executed. The protocol is made non-interactive by applying the Fiat-Shamir heuristic which draws the challenges from the hash of the commitments.
Advantages
- Proof generation is significantly faster.
- No need for trusted parameter generation.
- Arguably simpler to implement.
Disadvantages
- Significantly larger proof sizes.
- Slightly slower verification.
I am not a cryptographer and I only wrote this code for learning purposes. I do not recommend that you use it for cryptographic applications.