https://github.com/xlab-si/emmy

Emmy is a library for building protocols/applications based on zero-knowledge proofs, for example anonymous credentials. Zero-knowledge proofs are client-server protocols (in crypto terms also prover-verifier, where the prover takes on the role of the client, and the verifier takes on the role of the server) where the client proves a knowledge of a secret without actually revealing the secret.

Emmy also implements a communication layer supporting the execution of these protocols. Communication between clients and the server is based on Protobuffers and gRPC. Emmy server is capable of serving (verifying) thousands of clients (provers) concurrently. Currently, the communication is implemented for the two anonymous credential schemes (see Currently offered cryptographic schemes).

In addition, emmy is built with mobile clients in mind, as it comes with compatibility package providing client wrappers and types that can be used for generating language bindings for Android or iOS mobile platforms.

To get some more information about the theory behind zero knowledge proofs or developing various parts of emmy library, please refer to additional documentation in the docs folder.

What does emmy stand for?

Emmy library is named after a German mathematician Emmy Noether, recognised as one of the most important 20th century mathematicians. Emmy Noether's groundbreaking work in the field of abstract algebra earned her a nickname the mother of modern algebra. We named our library after her, since modern cryptography generally relies heavily on abstract algebraic structures and concepts.

• Currently offered cryptographic primitives
• Currently offered cryptographic schemes
• Installation
• emmy CLI tool
  • emmy server
  • emmy clients
  • TLS support
• Further documentation

Emmy 是一个基于零知识证明（例如匿名凭证）构建协议/应用程序的库。零知识证明是客户端-服务器协议（在加密术语中也是prover-verifier，其中证明者扮演客户端的角色，验证者扮演服务器的角色），其中客户端证明对秘密的了解，而无需居然泄露了秘密。

Emmy 还实现了一个支持这些协议执行的通信层。客户端和服务器之间的通信基于Protobuffers和gRPC。Emmy 服务器能够同时服务（验证）数千个客户端（证明者）。目前，通信是针对两种匿名凭证方案实现的（请参阅当前提供的加密方案）。

此外，emmy 在构建时考虑到了移动客户端，因为它带有提供客户端包装器和类型的兼容性 包，可用于为 Android 或 iOS 移动平台生成语言绑定。

要获取有关零知识证明背后的理论或开发 emmy 库的各个部分的更多信息，请参阅docs文件夹中的其他文档。

艾美代表什么？

Emmy 图书馆以德国数学家Emmy Noether命名，他被公认为 20 世纪最重要的数学家之一。Emmy Noether 在抽象代数领域的开创性工作为她赢得了现代代数之母的绰号。我们以她的名字命名我们的图书馆，因为现代密码学通常严重依赖抽象代数结构和概念。

• 当前提供的加密原语
• 目前提供的加密方案
• 安装
• 艾美 CLI 工具
  • 艾美奖服务器
  • 艾美奖客户
  • TLS 支持
• 更多文件

What is a zero-knowlede proof (ZKP)?

A zero-knowledge proof is protocol by which one party (prover) proves to another party (verifier) that a given statement is true, without conveying any information apart from the fact that the statement is indeed true.

The required properties for zero knowledge proofs are:

• completeness - if the statement is true, the honest verifier (the verifier that follows the protocol properly) will be convinced of this fact with overwhelming probability,
• soundness - no one who does not know the secret can convince the verifier with non-negligible probability,
• zero knowledge - the proof does not leak any information.

A good resource on zero-knowledge proofs is [1].

How can we build zero-knowledge proofs?

Zero-knowledge proofs can be built upon sigma protocols. Sigma protocols are three-move protocols (commitment, challenge and response) which have the following properties: completeness, special soundness, and special honest zero knowledge verifier (not going into definitions here, please refer to [1]). An example of a sigma protocol is Schnorr protocol, where the prover proves that he knows w such that gw = h (mod p) (proof of knowledge of a discrete logarithm):

什么是零知识证明（ZKP）？

零知识证明是一种协议，一方（证明者）通过该协议向另一方（验证者）证明给定的陈述是真实的，除了陈述确实是真实的事实之外，不传达任何信息。

零知识证明所需的属性是：

• 完整性

  • 如果陈述是真的，诚实的验证者（正确遵循协议的验证者）将以压倒性的概率相信这个事实，

• 可靠性

  • 任何不知道秘密的人都无法以不可忽略的概率说服验证者，

• 零知识

  ——证明不会泄露任何信息。

关于零知识证明的一个很好的资源是 [1]。

我们如何构建零知识证明？

零知识证明可以建立在sigma 协议上。Sigma 协议是三步协议（commitment、challenge 和 response），具有以下属性：完整性、 特殊可靠性和特殊诚实零知识验证器（此处不做定义，请参阅 [1]）。sigma 协议的一个示例是 Schnorr 协议，其中证明者证明他知道w使得g w = h (mod p)（离散对数知识证明）：

We can turn sigma protocols like Schnorr protocol into zero-knowledge proofs (ZKP). The key is to enforce the verifier to behave honestly. This can be achieved by using commitment scheme [2] or by using one-bit challenges. Both techniques will be described below.

How can a Schnorr protocol can be executed in emmy (given g, t, p how to prove the knowledge of s where t = gs (mod p)):

`prover := schnorr.NewProver(group, types.Sigma) verifier := schnorr.NewVerifier(group, types.Sigma)

x := prover.GetProofRandomData(s, g) verifier.SetProofRandomData(x, g, t)

challenge, _ := verifier.GetChallenge() z, _ := prover.GetProofData(challenge) verified := verifier.Verify(z, nil)`

The second parameter in both constructors specifies whether sigma protocol or ZKP should be executed (ZKP is sigma protocol extended with commitment scheme to enforce the verifier to behave honestly).

Note that emmy provides a communication layer which enables execution of the protocols on two remote devices. For brevity the examples here assume the execution of prover and verifier on the same device.

How can we prove that a protocol is sound

That means - how can a prover prove the knowledge of a secret. This is done by showing that there exists an algorithm which can extract the knowledge of a secret if the prover is used as a black-box and can be rewinded to output the same first message in two protocol executions.

Thus, in Schnorr protocol the transcripts of two protocol executions are (x = gr (mod p), c1, z1), (x = gr (mod p), c2, z2). The parameters g, h, p are publicly known. Prover is proving the knowledge of s such that:

gs = t (mod p)

In the last step of both executions the extractor (playing the role of the verifier) verified that:

gz1 = gr * (gs)c1 = gr * tc1 (mod p)

gz2 = gr * (gs)c2 = gr * tc2 (mod p)

Extractor divides both equations:

gz2-z1 = tc2-c1 (mod p)

Note that this is in Schnorr group which is cyclic with order q (see crypto/groups package).

gz2-z1 = (gs)c2-c1 = gs*(c2-c1) (mod p)