Zero-knowledge proofs for set membership: efficient, succinct, modular

Abstract We consider the problem of proving in zero knowledge that an element a public set satisfies given property without disclosing element, i.e., for some u , “ $$u \in S$$ u ? S and P ( ) holds”. This arises many applications (anonymous cryptocurrencies, credentials or whitelists) where, privacy anonymity reasons, it is crucial to hide certain data while ensuring properties such data. design new modular efficient constructions this through commit-and-prove zero-knowledge systems membership i.e. schemes value commitment $$c_u$$ c . also extend our results support non-membership proofs \notin ? Being commit-and-prove, solutions can act as plug-and-play modules statements form holds” by combining (non-)membership with any other scheme ). Also, they work Pedersen commitments over prime order groups which makes them compatible popular Bulletproofs Groth16. implemented software library, tested experimentally their performance. Compared previous achieves similar properties—the clever techniques zkSNARKs Merkle Trees Zcash—our offer more flexibility, shorter parameters $$3.7 \times $$ 3.7 × – $$30\times 30 faster time size $$2^{64}$$ 2 64