A Survey on Zero Knowledge Range Proofs and Applications (1907.06381v1)

Abstract: In last years, there has been an increasing effort to leverage Distributed Ledger Technology (DLT), including blockchain. One of the main topics of interest, given its importance, is the research and development of privacy mechanisms, as for example is the case of Zero Knowledge Proofs (ZKP). ZKP is a cryptographic technique that can be used to hide information that is put into the ledger, while still allowing to perform validation of this data. In this work we describe different strategies to construct Zero Knowledge Range Proofs (ZKRP), as for example the scheme proposed by Boudot in 2001; the one proposed in 2008 by Camenisch et al, and Bulletproofs, proposed in 2017. We also compare these strategies and discuss possible use cases. Since Bulletproofs is the most efficient construction, we will give a detailed description of its algorithms and optimizations. Bulletproofs is not only more efficient than previous schemes, but also avoids the trusted setup, which is a requirement that is not desirable in the context of Distributed Ledger Technology (DLT) and blockchain. In case of cryptocurrencies, if the setup phase is compromised, it would be possible to generate money out of thin air. Interestingly, Bulletproofs can also be used to construct generic Zero Knowledge Proofs (ZKP), in the sense that it can be used to prove generic statements, and thus it is not only restricted to ZKRP, but it can be used for any kind of Proof of Knowledge (PoK). Hence Bulletproofs leads to a more powerful tool to provide privacy for DLT. Here we describe in detail the algorithms involved in Bulletproofs protocol for ZKRP. Also, we present our implementation, which was open sourced.

• The paper surveys and compares multiple zero knowledge proof protocols, outlining their theoretical foundations and practical performance benchmarks.
• It details various construction methods including square decomposition, signature-based, multi-base, and Bulletproofs, highlighting Bulletproofs for its logarithmic efficiency.
• The authors implement schemes in Java, Solidity, and Golang, offering actionable performance insights for privacy-preserving blockchain applications and future research.

The paper "A Survey on Zero Knowledge Range Proofs and Applications" (1907.06381) provides an overview of different strategies for constructing Zero Knowledge Range Proofs (ZKRP) and Zero Knowledge Set Membership (ZKSM) protocols, with a particular focus on their practical implementation and applications, especially within Distributed Ledger Technology (DLT) and blockchain. The core motivation is to address the privacy limitations of public ledgers, where sensitive transaction data or personal information is visible to all participants. ZKRP and ZKSM allow proving that a secret value falls within a specific range or belongs to a specific set without revealing the secret value itself.

The survey starts by outlining various practical use cases for ZKRP and ZKSM beyond DLT, such as verifying age without revealing the exact birthdate ("Over 18"), Know Your Customer (KYC) compliance (proving residence in a valid region without specifying the country), secure electronic voting and auctions, establishing board membership anonymity, Anti-Money Laundering (AML) compliance (proving not being on a blacklist), reputation validation, and Common Reporting Standard (CRS) compliance for financial data validation. Within the DLT context, key applications include enabling Confidential Transactions (CT) and Mimblewimble by hiding transaction amounts while proving they are non-negative and within acceptable bounds, proving solvency for exchanges in protocols like Provisions, and facilitating private smart contracts on platforms like Ethereum without requiring a trusted setup or trusted third parties, which are often limitations of schemes like zk-SNARKs or Hawk.

The paper describes several prominent ZKRP construction strategies:

1. Square Decomposition: Based on decomposing a number into a sum of squares. Schemes like Boudot's [boudot], Lipmaa's [lip03], and Groth's [gro05] fall into this category, typically relying on the Strong RSA assumption. While the verifier complexity can be constant for very large secrets, the prover's computation for the square decomposition is computationally intensive, making it less efficient for moderate-sized secrets.
2. Signature-based: This approach leverages digital signatures and bilinear pairings. The core idea, exemplified by Camenisch et al. [ccs08], is to prove knowledge of a valid signature on an element within a defined set. For ZKRP, the secret value is represented in a base-$u$ decomposition, and the prover demonstrates knowledge of signatures for each digit of the decomposition, where each digit belongs to the set $\{0, 1, \dots, u-1\}$. This method relies on assumptions like the q-Strong Diffie-HeLLMan assumption and can be used for ZKSM as well.
3. Multi-base Decomposition: Similar to signature-based methods in using decomposition, this strategy relies on proving properties about the digits of a secret's representation in different bases. Schemes in this category, like Schoenmakers' [schoenmakers] or Lipmaa et al.'s [mbase03], are noted for being efficient for smaller secret sizes (up to around 25 bits).
4. Bulletproofs: Proposed by Bünz et al. [bulletproofs], Bulletproofs offer a ZKRP construction that avoids a trusted setup by using a Nothing Up My Sleeve (NUMS) method for generating cryptographic parameters from a public string. It is based on a compact inner product argument. The range proof for a value $v \in [0, 2^n)$ is constructed by proving properties about its bit decomposition $a_L \in \{0,1\}^n$ using commitments and polynomial relations that can be verified efficiently using the inner product argument. Bulletproofs achieves a logarithmic proof size with respect to the range size ($n$). The paper details the setup, prove, and verify algorithms for the inner product argument and the range proof, illustrating how blinding factors and polynomial evaluation are used to achieve zero knowledge. Practical optimizations like multi-exponentiation (to reduce computation by combining exponentiations) and aggregation (to combine multiple range proofs into a single, more compact proof) are also discussed.

The authors implemented Boudot's scheme in Java and Solidity, and the signature-based scheme and Bulletproofs in Golang, leveraging BN128 curves and Go-Ethereum libraries. Performance benchmarks (Table 1 and Figures 1-3) comparing these implementations, along with data from other survey papers, indicate that Bulletproofs generally demonstrates superior performance, particularly in terms of proof size and verifier computation complexity, which are crucial metrics for DLT applications due to storage and processing constraints on validator nodes. For very large ranges, square decomposition schemes show constant verifier cost, but the prover is slow. Multi-base schemes are competitive for very small ranges. However, for the typical range sizes relevant in DLT (e.g., transaction amounts), Bulletproofs emerges as the most efficient option due to its logarithmic scaling.

The paper concludes by highlighting the significance of ZKRP and ZKSM as fundamental cryptographic building blocks for privacy-preserving applications. It mentions related work on cryptographic accumulators and alternative signature schemes for ZKSM. Future work involves integrating the implemented ZKSM protocols into Ethereum smart contracts (potentially rewriting the verifier in Solidity) and exploring post-quantum ZKP constructions, noting that current lattice-based ZKRP schemes [pqrp] still have larger proof sizes compared to conventional schemes. The overall contribution is to provide a developer-focused survey and implementation comparison of ZKRP schemes, bridging the gap between theoretical cryptography and practical deployment.