SoK: Zero-Knowledge Range Proofs

Miranda Christ Foteini Baldimtsi Konstantinos Kryptos Chalkias

Columbia University George Mason University Mysten Labs
mchrist@[Link] Mysten Labs kostas@[Link]
foteini@[Link]

Deepak Maram Arnab Roy Joy Wang

Mysten Labs Mysten Labs Mysten Labs
deepak@[Link] arnab@[Link] joy@[Link]

ABSTRACT At the same time, with the rise of decentralized systems and
Zero-knowledge range proofs (ZKRPs) allow a prover to convince cryptocurrencies, range proofs have received increased attention
a verifier that a secret value lies in a given interval. ZKRPs have due to their use in mechanisms that preserve the privacy of trans-
numerous applications: from anonymous credentials and auctions, actions posted on the blockchain. For instance, ZKRPs are a key
to confidential transactions in cryptocurrencies. At the same time, ingredient in confidential transactions [18, 63, 69] — which hide the
a plethora of ZKRP constructions exist in the literature, each with amount of each transaction posted on the blockchain. The trans-
its own trade-offs. In this work, we systematize the knowledge action amounts are stored in a committed fashion, and to ensure
around ZKRPs. We create a classification of existing constructions validity of the transaction the sender must prove that the sum of
based on the underlying building techniques, and we summarize the output amounts does not exceed the sum of the input amounts.
their properties. We provide comparisons between schemes both For this check to be sound, the sender must also prove that all
in terms of properties as well as efficiency levels, and construct output amounts are positive (else an adversarial sender could com-
a guideline to assist in the selection of an appropriate ZKRP for mit to negative output amounts and create coins out of thin air).
different application requirements. Finally, we discuss a number of For commitments in a group, such as Pedersen commitments, this
interesting open research problems. positivity check also involves showing that the committed value
is much less than the order of the group. This check essentially
amounts to showing that the committed value is in some integer
KEYWORDS
range [0, 2𝑘 − 1] and is done via a ZKRP. Additionally, ZKRPs are
Range proofs, zero knowledge heavily used in protocols for blockchain auditing and solvency so-
lutions [22, 29, 34, 51] to show that transactions or reserves of an
organization satisfy certain policies.
1 INTRODUCTION This increased interest in ZKRPs has also resulted in a growing
Zero-knowledge (ZK) proofs have received much attention in recent number of proposed constructions with different characteristics and
years, with an abundance of generic protocols being developed properties. With numerous ZKRP constructions available, selecting
using various assumptions and techniques. Although these generic the suitable scheme for a specific application can be challenging.
protocols are becoming very efficient and easier to implement, there The goals of this SoK are to organize the space on the various tech-
are still cases for specific types of statements, where customized niques used to construct range proofs, compare their properties
ZK protocols are preferable. in a systematic way, identify open research questions, and pro-
Zero-knowledge range proofs (ZKRPs) are a subclass of zero- vide a guideline to select the appropriate protocol for each type of
knowledge proofs that proves a structured kind of set membership. application.
A ZKRP allows a prover to convince a verifier that a secret, com-
mitted value lies in a given (integer) interval. Brickell et al. [17] in- Our contributions and organization. We start by defining the
troduced the first type of zero-knowledge range proof as a building necessary background on cryptographic schemes and computa-
block in a protocol for revealing a secret discrete logarithm bit-by- tional assumptions in Section 2. In Section 3, we provide a taxonomy
bit. Since their introduction, ZKRPs have been used in various appli- of general approaches used in the construction of zero-knowledge
cations such as private e-cash protocols [27] (to verify non-negative range proofs. Concretely, we identify three underlying methods
transaction amounts), anonymous credentials systems [6, 24, 26] used in the constructions of known ZKRP schemes: (a) square de-
(to prove that a secret credential attribute, i.e. user age, falls in composition, (b) binary/n-ary decomposition and (c) hash-chain
a specific range) as well as private voting [46], auctions [3] and approach. We describe each method in detail, and for 𝑛-ary decom-
privacy preserving federated learning [7] and so on. Additionally, position we present an abstraction that allows us to synthesize the
ZKRPs are often used as building blocks for more complex crypto- several techniques used. Our abstraction is of independent interest,
graphic schemes. For instance, they have been used to construct and could potentially lead to new insights. Then, in Section 4, we
ZK proofs of non-membership [58] and ZK proofs of certain poly- collect the set of properties beyond the standard soundness and
nomial relations over the integers [23, 25], and they have also been zero-knowledge that are desirable in certain application scenarios
used to prove well-formedness of RLWE ciphertexts [37, 55] and of ZKRPs, such as aggregation, transparent setup and efficiency
well-formedness of shares in secret-sharing schemes [45, 48]. considerations. In Sections 5-7 we classify all known (to the best of
 Miranda Christ, Foteini Baldimtsi, Konstantinos Kryptos Chalkias, Deepak Maram, Arnab Roy, and Joy Wang

our knowledge) ZKRP constructions under the three methods we • Gen(1𝜆 ) is an efficient randomized algorithm that outputs
identified in Section 3. For each method, we provide an analytical public parameters p.
list of known protocols and we compare all protocols based on the • Com(p, 𝑚, 𝑟 ) is an efficient deterministic function that takes
desirable properties listed in Section 4. In Section 8, we provide as input the public parameters, a message 𝑚, and random-
a guideline for how to select the best type of ZKRP construction ness 𝑟 . It outputs a commitment to 𝑚.
based on the desired properties and then in Section 9, we report A commitment scheme must be binding and hiding, defined as
storage and computation (verifier/prover time) costs of the most follows:
popular ZKRP constructions using existing and new benchmarks. A commitment scheme is binding if for all p.p.t. adversaries A, it is
We provide a more detailed list of known ZKRP applications in infeasible to come up with two different messages corresponding
Section 10. Finally, we identify a series of research gaps relevant to a given commitment.
to ZKRP which we believe can serve as a starting point for future
research works in Section 11.  (𝑚 0, 𝑟 0 ), (𝑚 1, 𝑟 1 ) ← A (1𝜆 , p)∧ 
 
Pr  (𝑚 0 ≠ 𝑚 1 )∧  = 𝑛𝑒𝑔𝑙 (𝜆)
Comparison with prior work. We compare our paper with the p←Gen(1𝜆 ) 

Com(p, 𝑚 , 𝑟 0 ) = Com(p, 𝑚 1, 𝑟 1 )


 0 
previous survey of range proofs by Morais, Koens, van Wijk, and Ko-
ren [64]. The technical portion of [64] focuses largely on Boudot’s A commitment scheme is computationally (resp., statistically) hid-
four-square decomposition construction [15], the signature-based ing if for all p.p.t. (resp., unbounded) adversaries A, it is infeasible
construction of CCs [24], and Bulletproofs [19]. It omits or does not to distinguish whether a commitment corresponds to any 𝑚 0 or 𝑚 1
go into detail on many other works, such as the line of code-based known to A. That is, for all 𝑚 0, 𝑚 1 :
constructions, the newer and more efficient square-decomposition 
𝑐 ← Com(p, 𝑚 0, 𝑟 )
 
𝑐 ← Com(p, 𝑚 1, 𝑟 )

constructions, the polynomial commitment-based constructions, Pr 𝜆 ≈ Pr 𝜆
𝑟 ←$ A (1 , p, 𝑐, 𝑚 0 , 𝑚 1 ) = 1 𝑟 ←$ A (1 , p, 𝑐, 𝑚 0 , 𝑚 1 ) = 1
the hash chain constructions and lattice based constructions. In
particular, many of the most efficient schemes such as Sharp [31] A commitment scheme is homomorphic if
and BFGW [12] are not covered in their survey. Their work also
Com(p, 𝑚 0, 𝑟 0 ) + Com(p, 𝑚 1, 𝑟 1 ) = Com(p, 𝑚 0 + 𝑚 1, 𝑟 0 + 𝑟 1 ).
provides a comparison only of the three schemes that it focuses
on. Our SoK is significantly more comprehensive, and here is a Next we define zero-knowledge proof and non-interactive zero-
summary of how our work goes beyond [64]. First, to the best of knowledge proof (NIZK). Most of the ZKRPs in this SoK are in fact
our knowledge, we provide a complete description of techniques non-interactive. In the following sections, we will skip mention of
and schemes in the ZKRP category and we extensively compare all the non-interactive aspect, unless not clear from context. We pro-
such schemes based on their techniques, assumptions, and other vide informal definitions next, while deferring the formal definition
properties. Additionally, we observe a useful abstraction for bi- of NIZK and its properties to appendix A.
nary decomposition-based range proofs, breaking such proofs into
two components, and presenting the techniques used for each of Definition 2.2 (Zero-knowledge proof). Let L be a language in NP
these components. An important aspect for our work, especially for and R be a polynomially verifiable relation, such that 𝑥 ∈ 𝐿 ⇐⇒
practitioners who will use our SoK to determine the most suitable ∃𝑤 : 𝑅(𝑥, 𝑤). A zero-knowledge proof system for L is a tuple of
ZKRP for their application, is that we provide new benchmarks and efficient interactive algorithms (Prover, Verifier, Simulator), such
assemble existing benchmarks for easier comparison. We plan to that the following properties hold:
open-source the code used for our benchmarks. Finally, we include • Completeness. Given (𝑥, 𝑤) ∈ 𝑅, the honest execution of the
open questions and research gaps, and a flowchart to help identify Prover (given x, w) and the Verifier (given only x) result in
the most appropriate range proof construction family for various the Verifier outputting 1.
applications. • Soundness. Given 𝑥 ∉ 𝐿, a malicious Prover interacting
with the Verifier can only make it output 1 with negligible
probability.
2 PRELIMINARIES • Zero-Knowledge. Given 𝑥 ∈ 𝐿, the Simulator can produce an
We use boldface, like a = (𝑎 1, . . . , 𝑎𝑛 ), to denote a vector, and interaction transcript of an honest Prover with a (possibly)
we let wt(a) denote its Hamming weight. We use ◦ to denote the malicious Verifier, that is computationally indistinguishable
Hadamard product, i.e., a ◦ b = (𝑎 1𝑏 1, . . . , 𝑎𝑛 𝑏𝑛 ). For a nonzero from an actual execution transcript of the Prover with the
value 𝑎, we use a𝑛 to denote the vector (1, 𝑎, 𝑎 2, . . . , 𝑎𝑛−1 ). We let Verifier. Note that the Simulator doesn’t get 𝑤, while the
0𝑛 denote the length-𝑛 vector (0, . . . , 0). For two vectors x, y, we let Prover gets 𝑤.
xy = (𝑥 1 1 , . . . , 𝑥𝑛 𝑛 ) denote element-wise exponentiation. We use 𝜆
𝑦 𝑦
A non-interactive zero-knowledge (NIZK) proof system is a zero-
to denote the security parameter, A to denote an adversary, Z to
knowledge proof system, where the Prover, given (𝑥, 𝑤) just sends
denote the integers, and 𝑛𝑒𝑔𝑙 (·) to denote a negligible function. We
one message 𝜋 to the Verifier and the Verifier outputs 0/1 based on
use the word efficient, or p.p.t., to mean probabilistic polynomial
(𝑥, 𝜋). A NIZK has an additional setup algorithm 𝐶𝑅𝑆𝐺𝑒𝑛, which
time.
outputs a common reference string (CRS) used by all the proofs and
verifications. Instead of a CRS, some NIZKs can also specify a ran-
Definition 2.1 (Commitment scheme [53]). A commitment scheme dom oracle. The Simulator algorithm is allowed to keep trapdoors
is a pair of efficiently computable algorithms (Gen, Com) where: about the CRS, or be able to simulate the random oracle.
SoK: Zero-Knowledge Range Proofs

A zero-knowledge proof of knowledge requires that an adversary specific instantiations of these approaches in more detail in their
which produces a valid proof for a statement also knows a valid respective sections. We also mention the approach of using generic
witness. This is formally captured by requiring the existence of zero-knowledge proofs.
an extractor, which can run the adversary’s code and produce the We describe these approaches for proving that a committed value
witness. lies in a range of the form [0, 𝑛𝑘 − 1], or that a committed value is
positive in the case of square decomposition. Most works consider
Definition 2.3 (ZKRP). A zero-knowledge range proof (ZKRP) is a
ranges of this form, which may seem at a first glance to be a relaxed
zero-knowledge proof of knowledge for the following relation:
version of the problem. However, when the commitments used are
𝑅𝑃 p = {((𝑦, 𝑢, 𝑣), (𝑚, 𝑟 )) : 𝑦 = Com(p, 𝑚, 𝑟 ) ∧ 𝑢 ≤ 𝑚 ≤ 𝑣 } homomorphic, it turns out to be sufficient for constructing more
where p, 𝑦, 𝑢, and 𝑣 are known to the verifier, and Com is some general range proofs with only a small amount of work to translate.
particular commitment scheme. Assume that we the ability to prove that any committed value
is in the interval [0, 𝑛𝑘 − 1]. To prove that 𝑧 is in some interval
A question may arise since p is hard-coded in the language defi- [𝑢, 𝑣], one can show first that (𝑧 − 𝑢) ∈ [0, 𝑛𝑘 − 1] and then that
nition: what if a malicious prover samples p badly and thus renders (𝑣 − 𝑧) ∈ [0, 𝑛𝑘 − 1]. Thus, 𝑧 ≥ 𝑢 and 𝑧 ≤ 𝑣. Certain constructions
the NIZK-soundness property vacuous? We note that most applica- from integer commitments (e.g., CKLR [32]) can combine these
tions require both commitment security and NIZK-soundness. This checks into proving a single equation: (𝑧 − 𝑢)(𝑣 − 𝑧) ≥ 0. It is easy
enforces that the attacker of the application’s security cannot badly to obtain commitments for (𝑧 − 𝑢) and (𝑣 − 𝑧) homomorphically,
sample p. given a commitment to 𝑧. For non-homomorphic commitments,
Pedersen commitments. Most range proofs use Pedersen com- one can do this translation by creating a commitment 𝑐 to 𝑧 − 𝑢,
mitments [67] as the underlying commitment scheme. Let G be a proving in zero knowledge that 𝑐 indeed commits to 𝑧 − 𝑢, and
cyclic group of prime order and 𝑔 and ℎ be generators of that group, performing this range proof with respect to 𝑐.
where the relationship between 𝑔 and ℎ is not known. The Pedersen
commitment Com(𝑥, 𝑟 ) for a value 𝑥 ∈ G with randomness 𝑟 is 3.1 Square decomposition
𝑔𝑥 ℎ𝑟 . The square decomposition method involves writing the committed
Pedersen commitments are statistically hiding, and their bind- integer as a sum of squares. A common version of this method, the
ing property is based on the hardness of the discrete logarithm four-square decomposition method, uses Lagrange’s four-square
assumption. theorem. This theorem states that for any integer 𝑧 ∈ Z ≥0 , there
Definition 2.4 (Discrete Logarithm Assumption). Let G be a group exist 𝑥 1, 𝑥 2, 𝑥 3, 𝑥 4 ∈ Z such that
of order 𝑝 and let 𝑔 be a generator of G. A challenger samples 𝑧 = 𝑥 12 + 𝑥 22 + 𝑥 32 + 𝑥 42 (1)
a random 𝑥 ← Z𝑝 and sends 𝑔𝑥 to an adversary. The Discrete
Logarithm Assumption states that it is infeasible for the adversary Thus, to prove that a committed value 𝑧 is non-negative, it suffices
to output 𝑥, given (G, 𝑔, 𝑔𝑥 ). to prove knowledge of 𝑥 1, . . . , 𝑥 4 such that Equation 1 holds. This
approach requires a special type of commitment called an integer
Apart from the Discrete Logarithm setting, we will also describe commitment, which ensures that equations that hold over commit-
schemes based on the hardness of the RSA problem, as well as ted values also hold over the integers. The issue that this property
lattices. avoids is that Equation 1 may hold for a negative 𝑧 if we are working
Definition 2.5 (RSA Assumption). A challenger samples primes in some group rather than over Z. For example, in Z5 it is possible
𝑝 and 𝑞 and sets 𝑁 = 𝑝𝑞. It picks a quantity 𝑒 co-prime to 𝜙 (𝑁 ), that 𝑧 = −1 and 02 + 12 + 22 + 22 = 9 = 𝑧 (mod 5).
where 𝜙 (𝑁 ) = (𝑝 − 1)(𝑞 − 1) is Euler’s totient function. Then it 3.1.1 Integer commitments. An integer commitment scheme is a
randomly samples 𝑧 ← [1, 𝑁 ] and sends (𝑁 , 𝑒, 𝑧) to the adver- commitment scheme where binding holds over Z. That is, for all
sary. The adversary outputs 𝑦. The RSA Assumption states that the p.p.t. adversaries A,
probability of 𝑦𝑒 = 𝑧 (𝑚𝑜𝑑 𝑁 ) is negligible.
 (𝑚 0, 𝑟 0 ), (𝑚 1, 𝑟 1 ) ← A (1𝜆 , p) 
Definition 2.6 (Strong RSA Assumption). The Strong RSA As-
 
Pr  ∧(𝑚 ≠
0 Z 1 𝑚 )  = 𝑛𝑒𝑔𝑙 (𝜆)
p←Gen(1 ) 
𝜆  
sumption states that the RSA problem is intractable even when the ∧Com(p, 𝑚 0 , 𝑟 0 ) = Com(p, 𝑚 1 , 𝑟 1 ) 
adversary is allowed to choose the public exponent 𝑒 (for 𝑒 ≥ 3).
 
where 𝑚 0 ≠Z 𝑚 1 denotes that 𝑚 0 and 𝑚 1 are not equal over the
Definition 2.7 (SIS Assumption). Let 𝑞, 𝑛, 𝑚 ∈ Z+, 𝛽 ∈ R+ be integers. Bounded integer commitments (used in [32]) satisfy the
given, where 𝛽 ≪ 𝑞. A challenger samples a random matrix A ← same binding property, but are weaker in that the message space
Z𝑞𝑛×𝑚 . The SIS Assumption states that it is infeasible for an adver- is restricted to some bounded interval, e.g., {𝑥 ∈ Z : |𝑥 | ≤ 𝐵}. For
sary to find a nonzero m-vector e, such that Ae = 0 mod 𝑞 and constructing range proofs, this boundedness is not an issue as long
||e|| 2 ≤ 𝛽. as the ranges in question are well within the bounds.
Pedersen commitments, for example, are not integer commit-
3 GENERAL APPROACHES ments as their message space is Z𝑝 , and any messages that are
Efficient zero-knowledge range proofs typically use three classes equivalent (mod 𝑝) result in the same commitment given the same
of approaches: square decomposition, 𝑛-ary decomposition, and randomness: 𝑔𝑚 ℎ𝑟 = 𝑔𝑚+𝑝 ℎ𝑟 over a cyclic group of order 𝑝. This at-
hash chains. We present these approaches below, then explore tack against binding fails if the order of the group is unknown, and
 Miranda Christ, Foteini Baldimtsi, Konstantinos Kryptos Chalkias, Deepak Maram, Arnab Roy, and Joy Wang

indeed many integer commitment schemes (e.g., Fujisaki-Okamoto for some scheme Com. Then, one can show digit validity by pro-
commitments, and constructions of [31, 32]) operate in groups of viding a set membership proof for each element of 𝑐 2 , with respect
unknown order. to the set Φ = {0, 1, . . . , 𝑛 − 1}. However, such protocols require
commitments and range proofs of length at least linear in 𝑘.
Fujisaki-Okamoto commitments [43]. We recall an overview
of FO commitments but refer the reader to [43] for details. FO Representativeness. There is no general way to show represen-
commitments operate over a group of unknown order Z∗𝑁 . 𝑔 and ℎ tativeness using set membership proofs; schemes using this con-
are generators of large subgroups of Z∗𝑁 , whose relation is unknown. struction (e.g., [24]) rely on properties of the specific commitment
The commitment to 𝑥 ∈ Z is scheme used.
3.2.2 Product arguments. A product argument is a proof system for
Com𝐹𝑂 (p, 𝑥, 𝑟 ) := 𝑔𝑥 ℎ𝑟 showing that the product of two committed values 𝑎 and 𝑏 is some
This commitment is computationally hiding when 𝑟 is chosen uni- value 𝑐. Typically, this equality holds in the group underlying the
formly in the interval [2 −𝜆 · 𝑁 + 1, . . . , 2𝜆 · 𝑁 − 1]. Fujisaki-Okamoto commitment scheme. For example, for Pedersen commitments in a
commitments are binding under the factoring assumption. group of prime order 𝑝, this argument shows that 𝑎𝑏 ≡ 𝑐 (mod 𝑝).
For integer commitments, we have the stronger property that this
3.2 𝑛-ary decomposition equality holds over the integers: 𝑎𝑏 = 𝑐.
The 𝑛-ary decomposition method involves committing to the digits Digit validity. Product arguments are useful for proving digit
of the committed value 𝑧 in some base 𝑛. For simplicity, assume for validity base 2, if as with set membership 𝑐 2 consists of individual
this explanation that we use base 2, although certain approaches can bit commitments. To show that a committed bit 𝑏 is in {0, 1}, the
be generalized to other bases. Thus, if the prover wishes to show that prover can commit to a value 𝑎 and prove that 𝑎𝑏 = 0 and 𝑎 + 𝑏 = 1.
𝑧 ∈ [0, 2𝑘 − 1], the prover writes 𝑧 = 𝑧 0 · 20 +𝑧 1 · 21 + . . . +𝑧𝑘 −1 · 2𝑘 −1 Observe that if 𝑏 ≠ 0, 𝑎 must be 0 to satisfy the first equation.
and generates commitments to 𝑧 0, . . . , 𝑧𝑘 −1 . The prover then shows Then the second equation implies that 𝑏 = 1. Thus, 𝑏 must be 0
that both of the following properties hold, which we present as or 1. Furthermore, the prover can always find a satisfying 𝑎; if
predicates: 𝑏 = 0, 𝑎 = 1, and if 𝑏 = 1, 𝑎 = 0. Inner product arguments, which
Digit validity (DV(z)): DV(z) = 1 if and only if 𝑧𝑖 ∈ {0, 1} for all we present next, allow the prover to simultaneously show many
𝑖 ∈ [0, 𝑘 − 1]. product relations more efficiently.
Representativeness (Rep(z, 𝑧)): Rep(z, 𝑧) = 1 if and only if 𝑧 = Representativeness. As is the case with set membership proofs,
Í𝑘 −1 𝑖
𝑖=0 𝑧𝑖 · 2 . product arguments are primarily useful for showing digital validity
In terms of these predicates, the 𝑛-ary decomposition method rather than representativeness.
proves membership in the following relation:
3.2.3 Inner product arguments. An inner product argument (IPA) is
𝑅decomp = {(p, (𝑐 1, 𝑐 2, 𝑛, 𝑘), (𝑧, z, 𝑟, r)) : 𝑐 1 = Com(p, 𝑧, 𝑟 ) a proof system for showing that the inner product of two committed
vectors is some value. The inner product used in Bulletproofs [19]
∧ 𝑐 2 = Com(p, z, r) ∧ DV(z) ∧ Rep(z, 𝑧)}
shows the following relation, using Pedersen commitments, where
We note that here, we slightly abuse notation and use Com to G denotes a group of prime order:
commit to a vector z with a vector of randomness r. n  o
There are (at least) four common tools used to show that the dig- g, h ∈ G𝑘 , 𝑃 ∈ G, 𝑧 ∈ Z𝑝 ; a, b ∈ Z𝑛𝑝 : 𝑃 = ga hb ∧ 𝑧 = ⟨a, b⟩
its are valid for the desired base; i.e., for binary decomposition they Here, 𝑃 is a binding (but not hiding) commitment to the vectors a
all lie in {0, 1}. These tools include zero-knowledge set membership and b. Therefore, Bulletproofs introduces blinding factors to make
arguments, product arguments, inner product arguments, and poly- this argument zero-knowledge. Bulletproofs also constructs an
nomial commitments. These strategies are primarily applicable for argument for the Hadamard product relation (i.e., c = a ◦ b) from
base 2, with the exception of set membership, which easily extends their inner product argument, though we do not present the details
to any arbitrary base. here.
3.2.1 Set membership. A set membership proof shows that a com- Digit validity. A useful fact used when constructing zero-knowledge
mitted value lies in some publicly known set; that is, it is a proof of range proofs from inner product arguments is that with overwhelm-
knowledge for the following relation: ing probability, the inner product of a nonzero vector a and a ran-
𝑆𝑀 = {(p, (Φ, 𝑦), (𝑚, 𝑟 )) : 𝑦 = Com(p, 𝑚, 𝑟 ) ∧ 𝑚 ∈ Φ} dom vector b is nonzero. Thus, the prover can convince the verifier
that a is 0𝑘 by showing that its inner product with a random chal-
Although one could define a set membership proof with respect to lenge vector is 0. Using the same idea as for product arguments,
a private committed set, in our application the set is determined by the prover can commit to the binary representation of the given
the publicly known base. value as a vector z, then use an inner product argument to show
Digit validity. Set membership arguments are useful for instances simultaneously that all components of this vector are indeed bits.
of 𝑅decomp where the commitment scheme used for z commits to That is, the prover commits to a vector z′ = 1𝑘 − z, and shows for a
its components individually; that is, random x that:
D E
𝑐 2 = (Com(p, 𝑧 0, 𝑟 0 ), . . . , Com(p, 𝑧𝑘 −1, 𝑟𝑘 −1 )) z′ − (1𝑘 − z), x = 0 and z′ ◦ z = 0𝑘
SoK: Zero-Knowledge Range Proofs

The lattice-based scheme [4] uses this approach as well. As [12] notes, this approach can be instantiated with any poly-
nomial commitment scheme that is hiding, binding, and additively
Representativeness. Although we presented an inner product
homomorphic.
relation where the value 𝑧 is a public input, many inner product
arguments, such as that of Bulletproofs, work also when 𝑧 is secret
and the public input includes only a commitment to 𝑧. One shows 3.3 Hash chains
representativeness by a single application of this inner product Hash chains can be used to prove that a committed value is at
argument, showing ⟨z, 2𝑘 ⟩ = 𝑧. least some threshold. In the hash chain approach, a commitment
Bulletproofs combines some of these checks for greater efficiency to a value 𝑧 is 𝐶𝑧 = 𝐻 𝑧 (𝑟 ), the output of a hash function applied 𝑧
and uses blinding factors to make their argument zero-knowledge. times to a random 𝑟 . The proof that 𝑧 exceeds some threshold 𝑡 is
𝜋 = 𝐻 𝑧−𝑡 (𝑟 ). A verifier can check that 𝐻 𝑡 (𝜋) = 𝐶𝑧 ; if 𝑧 < 𝑡, then
3.2.4 Polynomial commitments. A polynomial commitment scheme
𝑧 −𝑡 is negative and it is infeasible for a cheating prover to compute
allows a prover to commit to a polynomial 𝑝 (·) over a finite field
a preimage of 𝑟 under 𝐻 .
F𝑝 , such that a verifier can query a point 𝑥 to the prover, which
This simple hash chain requires prover and verifier time that is
can respond with 𝑝 (𝑥) and a proof 𝜋 that this evaluation is cor-
exponential in 𝑘 for ranges [0, 2𝑘 − 1]. However, using decompo-
rect. The scheme should be hiding in that the commitment reveals
sition techniques, HashWires [26] constructs a hash chain-based
nothing about the polynomial, and the evaluation proofs reveal no
range proof requiring only 𝑂 (𝑘) work.
extra information beyond the evaluations themselves. Polynomial
commitments are binding in that it is computationally infeasible to
produce a verifying proof for an incorrect evaluation of the com- 3.4 Generic zero-knowledge
mitted polynomial. A useful property of polynomial commitments There are many efficient generic zk-SNARKs, such as [9, 20, 44, 47].
is that it is easy for a prover to show that a committed polynomial These proof systems can be used to construct range proofs. However,
is identically zero, by providing a proof that its evaluation at a because they are generic and do not leverage the structure of the
random point is zero. By binding and the Schwartz-Zippel lemma, range proof relation, they are less efficient than the tailored range
this occurs with only negligible probability if the polynomial is proofs we explore. In Section 9, we include efficiency benchmarks
nonzero. for Groth16 [47], one of the most popular generic zk-SNARKs used
The following approach, which we describe at a high level, was in practice.
introduced in BFGW [12] and is detailed nicely in [72]. Suppose It is worth noting that practical benefits may outweight these
that we are given a commitment to 𝑧 in the form of a polynomial efficiency losses. In particular, because of their wide-ranging appli-
commitment to 𝑓 such that 𝑓 (1) = 𝑧. In constructing a range cations, generic zk-SNARKs offer convenient, well-engineered, and
proof for 𝑧 ∈ [0, 2𝑘 − 1], it is useful to work over a subgroup optimized libraries. For example, we used Circom [8] and rapidsnark
𝐻 = {1, 𝜔, 𝜔 2, . . . , 𝜔 𝑘 −1 } and use polynomials whose evaluations [50] for our Groth16 benchmarks. Even so, the prover and verifier
over 𝐻 encode the binary representation of 𝑧. That is, the prover times for Groth16 are roughly an order of magnitude larger than
computes a polynomial 𝑔 such that: the more tailored range proofs. Furthermore, if range proofs are
required in a larger system that already uses a generic zk-SNARK
𝑔(𝜔 𝑘 −1 ) = 𝑧𝑘 −1 elsewhere, using this zk-SNARK for the range proof as well may
𝑔(𝜔 𝑖 ) = 2𝑔(𝜔 𝑖+1 ) + 𝑧𝑖 ∀𝑖 ∈ {0, . . . , 𝑘 − 2} be practically convenient.

Another useful property of polynomial commitments is that one

can show that a polynomial 𝑔(𝑋 ) is zero on all of 𝐻 by committing
4 DESIRABLE PROPERTIES
to a related polynomial 𝑔′ (𝑋 ) and proving that 𝑔′ (𝑋 ) is identically All zero-knowledge range proofs must satisfy the standard notions
zero over F𝑝 . of soundness, completeness, and zero knowledge. All ZKRPs that
we cover in this SoK are non-interactive. In this section, we dis-
Digit validity. The prover shows that the following two polyno- cuss some additional nice features that might be desirable in some
mials are zero over all of 𝐻 : settings.
𝑤 2 = 𝑔 · (1 − 𝑔) (𝑋 − 1)(𝑋 − 𝜔) · · · (𝑋 − 𝜔 𝑘 −2 ) Efficiency. Unsurprisingly, it is desirable for ZKRPs to be efficient.
𝑘 −1 In blockchain applications, where a transactor must pay for the
𝑤 3 = [𝑔(𝑋 ) − 2𝑔(𝑋𝜔)] · [1 − 𝑔(𝑋 ) + 2𝑔(𝑋𝜔)] · (𝑋 − 𝜔 )
storage cost and the amount of computation done by validators, it
is especially important to minimize proof size and verifier time. The
𝑤 2 has zeros at 1, 𝜔, . . . , 𝜔 𝑘 −2 by construction. It is zero at 1 if and
proof size should be at most linear in 𝑘 for intervals [0, 2𝑘 − 1], and
only if 𝑔(𝜔 𝑘 −1 ) ∈ {0, 1}. For 𝑤 3 , observe that 𝑔(𝑋 ) − 2𝑔(𝑋𝜔) is ex- several schemes offer even constant-sized proofs. Though proof size
actly 𝑧𝑖 when evaluated at 𝜔 𝑖 . Therefore, 𝑤 3 is zero at {1, . . . , 𝜔 𝑘 −2 } and verifier time are often priorities, prover time also should not be
if and only if 𝑧𝑖 ∈ {0, 1}. prohibitively large. Since it is hard to directly compare efficiency of
Representativeness. The prover shows that the following poly- the constructions we discuss in Sections 5 - 7 (even in the asymptotic
nomial is zero over all of 𝐻 : setting the different parameters make one-to-one comparison very
hard), we instead opt to provide a concrete comparison of some of
𝑤 1 = (𝑔 − 𝑓 )(𝑋 − 𝜔)(𝑋 − 𝜔 2 ) · · · (𝑋 − 𝜔 𝑘 −1 ) the most popular ZKRPs in Section 9.
 Miranda Christ, Foteini Baldimtsi, Konstantinos Kryptos Chalkias, Deepak Maram, Arnab Roy, and Joy Wang

Transparent setup. Some range proofs require public parameters other validators can batch verify this proof more efficiently. Bul-
that are generated using secret randomness. It is crucial for the letproofs provides batch verification [19], using an observation
security of the proofs that this randomness is not known to the that verifying many statements of the form 𝑔𝑥 = 1 can be done by
prover. For example, several square decomposition range proofs use carefully combining them into a single equation requiring fewer
RSA-based integer commitments, which require an RSA modulus. exponentiations.
Importantly, this modulus 𝑁 must be generated in such a way that Aggregated range proofs often naturally enable batch verifica-
no party know the factorization of 𝑁 = 𝑝𝑞. Similarly, BFGW [12] tion, as some of the work is effectively done by the aggregator.
instantiated with KZG commitments [52] requires a powers-of- However, neither aggregation nor batch verification in general
tau common reference string, which consists of a series of values implies the other.
𝑖
𝑔𝜏 , where no party knows 𝜏. Protocols that require secrecy of the Compatibility with homomorphic commitments. A commit-
randomness used in parameter generation are said to require trusted ment scheme Com is homomorphic if Com(𝑚 0, 𝑟 0 )+Com(𝑚 1, 𝑟 1 ) =
setup. Trusted setup does not necessarily require a trusted party, Com(𝑚 0 + 𝑚 1, 𝑟 0 + 𝑟 1 ). It is convenient for applications such as
as many trusted setup procedures can be conducted by distributed confidential transactions for the underlying commitments to be ho-
multi-party protocols. Such protocols (often called ceremonies) exist momorphic; in particular, homomorphism makes it easier to prove
for many common trusted setup procedures, such as generation of that the sum of transaction output amounts is at least the sum of
RSA modului and powers-of-tau [13, 42, 66]. input amounts.
Ideally, protocols should have a transparent setup procedure that Most ZKRPs use Pedersen commitments, which are homomor-
does not require secret randomness. For example, the parameters phic. Some exceptions are HashWires [26] and various lattice-based
could be generated by applying a hash function to some public constructions such as KTX [54], which often achieve weaker ho-
randomness, e.g., to generate a random group element or random momorphism.
matrix.
Note that trusted setup is different from having a trusted issuer
5 SQUARE DECOMPOSITION
responsible for distributing the proper commitments to users, e.g., a
Pedersen commitment corresponding to that user’s account balance. CONSTRUCTIONS
Any protocol needs to assume that the prover and verifier agree on Recall that the square decomposition method involves writing the
the commitment at hand. committed value as the sum of four squares and proving that this
equality holds over the integers. Integer commitments, which were
Aggregation. Aggregation allows multiple range proofs to be com-
discussed in greater detail in Section 3, are a useful tool here. (Recall:
pressed into a single succinct proof. That is, a single prover holding
An integer commitment scheme is a commitment scheme for which
𝑚 commitments to values in the same range [0, 2𝑘 − 1] can effi- binding holds over the integers: it is computationally infeasible for
ciently generate a short aggregate proof 𝜋 proving all of these range an adversary to find messages 𝑚 0, 𝑚 1 and randomness 𝑟 0, 𝑟 1 such
statements simultaneously. For this aggregation property to be non- that Com(𝑚 0, 𝑟 0 ) = Com(𝑚 1, 𝑟 1 ), where 𝑚 0 ≠ 𝑚 1 over Z.) Below
trivial, 𝜋 should be shorter than the concatenation of 𝜋1, . . . , 𝜋𝑚 . we discuss different approaches in this class and also compare
For example, for Bulletproofs, Bulletproofs+, and Bulletproofs++ them in Table 1. Our comparison is done in terms of the properties
[19, 30, 38], the aggregate proof for 𝑚 values in [0, 2𝑘 − 1] consists discussed in Section 4 except efficiency which as explained above,
of only 𝑂 (log(𝑚 · 𝑘)) group elements. As the concatenation of 𝑚 will be treated separately in Section 9.
proofs would require 𝑂 (𝑚 · log(𝑘)) group elements, aggregation Approaches in this class combine integer commitment schemes
results in considerable space savings. with a way to prove in zero knowledge that, given a commitments
In the notion of aggregation considered so far, a single prover Com𝑥 and Com𝑦 , the committed values satisfy 𝑥 2 = 𝑦. This implies
knows the openings of all commitments that are being aggregated. A that 𝑦 is non-negative. One can generalize this argument to work
stronger notion of multi-prover aggregation allows one to combine not just for squares 𝑦, but for all non-negative integers.
range proofs generated by multiple provers, who wish to hide their Boudot [15] introduced the approach of proving that a commit-
openings from one another. Bulletproofs enables such aggregation ted value is positive by representing an arbitrary integer as a sum
via an MPC protocol run by the parties holding the commitments of squares (although not four squares). It uses Fujisaki-Okamoto
[19]. Multi-prover aggregation is harder to achieve, and is less well commitments [43], which require a group of unknown order such
studied than single-prover aggregation. as an RSA group. Damgård-Fujisaki commitments [35] are slightly
Aggregation is especially useful for confidential transactions, more efficient integer commitments used in subsequent work [59]
where minimizing the amount of space used on-chain decreases which refined Boudot’s idea and used Lagrange’s four square the-
gas costs. Since range proofs are used to show non-negativity, all orem [49, Theorem 369] (which states that every integer can be
range proofs typically prove membership in the same interval. written as the sum of the squares of four integers). In order to do so,
Batch verification. A related property is batch verification, where it also introduced an efficient algorithm for finding this four-square
there exists a process for verifying many proofs together that is decomposition. [46] similarly followed this approach and improved
more efficient than verifying each proof individually. Batch ver- its efficiency by observing that 𝑥’s of a certain form can be written
ification is especially useful in blockchain applications, where a as the sum of only three squares rather than four. [33] further im-
block proposer can aggregate the range proofs for its block and proved the efficiency and showed that the RSA assumption (rather
than the strong RSA assumption, as previously shown) is sufficient
to show the security of Damgård-Fujisaki commitments.
SoK: Zero-Knowledge Range Proofs

Square Decomposition-Based Range Proofs

Scheme Commitment Scheme Assumptions Transp. Setup Proof Aggregation Batched Ver.
Boudot [15] F-O [43] Strong RSA N N N
Lipmaa [59] RDF integer comm.* Strong RSA N N N
Groth [46]** RDF integer comm.* Strong RSA N N N
CKLR [32] Ped*** DLOG (optionally DSLE) N N N
CKLR [32] ElGamal variant [32] DXDH, ORD Y (class groups) N N
SharpGS , SharpPO
SO [31]† Pedersen DLOG, SEI Y Y Y
SharpHO [31]† Pedersen 1/2-fROOT N (RSA), Y (class groups) Y Y

Figure 1: Properties of square decomposition-based range proofs

*An extension of the Dåmgard-Fujisaki commitment [35] that [59] constructs.
**[46] is not exactly a new scheme; its contribution is observing a trick that can be applied to make [59] more efficient. Integers of a certain
form can be written as a sum of three squares, and one can quickly find this decomposition.
*** A bounded integer commitment scheme based on Pedersen commitments.
†Sharp is only a relaxed range proof and not sufficient for all applications. [31] has a thorough discussion; it is sufficient for anonymous
credentials and can be used for some but not all proofs in anonymous transactions, with some modifications. SharpHO refers to a scheme
where SharpGS or SharpPO SO is modified using an additional commitment requiring an RSA group or class group in order to achieve improved
soundness.

The integer commitments used by all of [15, 46, 59] require a 6 BINARY DECOMPOSITION
group modulus whose factorization is unknown, and therefore CONSTRUCTIONS
require trusted setup. A newer line of work [31, 32] develops new
CCs [24] introduced the 𝑛-ary decomposition paradigm to zero-
integer commitment schemes, some of which do not require a
knowledge range proofs. CCs [24] operates over Pedersen commit-
trusted setup. These schemes also yield much better efficiency,
ments and constructs a zero-knowledge set membership protocol
though Bulletproofs and subsequent binary-decomposition-based
by having the verifier publish a signature of each element in the
proofs are still more efficient in practice due to compatibility with
set. The prover then shows in zero knowledge that it knows a sig-
available optimized libraries.
nature of its committed value 𝑥 under the verifier’s secret key; by
CKLR [32] build a bounded integer commitment by modifying
unforgeability this is only possible if the value is in this set. By
Pedersen commitments; their scheme essentially enforces that the
choosing this set to be {0, . . . , 𝑛 − 1} for base 𝑛, the prover can
Pedersen commitment can only be opened to values within some
commit to the digits of 𝑥 and prove that they are valid digits under
bounded range. They then use this bounded integer commitment
that base. CCs then uses properties of Pedersen commitments to
to construct their ZKRP following the square decomposition ap-
show that the committed digits indeed represent 𝑥. The size of the
proach. However, their commitment scheme operates over rationals
proof is linear in log𝑛 2𝑘 , where 𝑛 is the base used and the range
rather than integers; while honest openers round these rationals to
is of size 2𝑘 . By optimizing the choice of the base 𝑛, this results in
integers, malicious openers may open to rationals instead which
can be problematic for some applications and results in a relaxed a slightly sublinear (in 𝑘) proof size for a range [0, 2𝑘 − 1]. This
notion of soundness. Sharp [31] improves upon CKLR in several scheme requires a trusted setup for the signature generation, and it
ways. In addition to improving over the efficiency of CKLR, Sharp is does not offer aggregation.
compatible with standard Pedersen commitments. This is because Subsequent constructions (which we call “Bulletproofs-style”
Sharp effectively moves CKLR’s modifications of Pedersen commit- and detail in the next subsection) improve on the efficiency of CCs
ments to the proof rather than modifying the commitment itself. to avoid this near-linear dependence on 𝑘. They use inner product
arguments or polynomial commitment schemes in clever ways to
Two variants of Sharp (SharpGS , SharpPO SO ), like CKLR, achieve a avoid showing individually that each bit is in {0, 1}; instead, they
relaxed notion of soundness. However, they show how to boost
are able to roll all of these checks into a shorter proof.
soundness by adding an additional commitment using a hidden-
There are also several newer lattice- and code-based construc-
order group such as an RSA group or class group; the resulting
tions that use binary decomposition, such as [4, 55, 65]. While these
variants SharpHO achieve standard soundness but require longer
schemes are less efficient and have very large proofs, their main
proofs. The RSA version also requires a trusted setup. Class groups
merit is that they are plausibly post-quantum secure. Additionally,
are hidden-order groups that can be instantiated without a trusted
they do offer transparent setup. Developing more practical lattice-
setup, though they are less well-supported than RSA groups from
based ZKRPs is an interesting research direction as we discuss in
an engineering standpoint. Finally, Sharp improves over CKLR by
more details in Section 11.
also offering batching capabilities.
When surveying binary decomposition constructions, we sep-
arate them into two categories: Bulletproofs-style constructions,
which are very practical; and lattice-based constructions, which are
 Miranda Christ, Foteini Baldimtsi, Konstantinos Kryptos Chalkias, Deepak Maram, Arnab Roy, and Joy Wang

primarily of theoretical interest. We provide an overview of all the run, and some blockchains such as Ethereum have run a KZG cer-
bulletproof style constructions described below in Figure 2. emony.1 In Section 9, we provide the first efficiency (prover and
verifier time) benchmarks that we know of for BFGW + KZG. If the
6.1 Bulletproofs-Style Constructions Pedersen variant of KZG commitments is used, BFGW + KZG is
compatible with Pedersen commitments. BFGW can also be instan-
Bulletproofs [19], arguably considered the state-of-the-art range tiated with DARKs [21], which do not require a trusted setup. Both
proof scheme, uses the binary decomposition technique. BFGW + KZG and BFGW + DARKs are aggregatable.
Bulletproofs combines the binary decomposition technique with
an inner product argument to enable the prover to send only 𝑂 (log 𝑘) 6.2 Lattice- and code-based constructions
elements. Bulletproofs improves and uses their improvement of an
inner product argument (IPA) of [14] where the prover sends only There are several lattice- and code- based zero knowledge range
𝑂 (log 𝑘) group elements for an IPA over length-𝑘 vectors. The key proof schemes. These schemes have the advantages that they are
idea in Bulletproofs is that the prover can use this IPA to execute the plausibly post-quantum secure and have a transparent setup. How-
binary decomposition approach more efficiently; we give intuition ever, they are concretely much less efficient than the discrete logarithm-
for this idea here. based schemes such as Bulletproofs. In particular, they have very
We write 𝑥 = 𝑎 0 · 20 + 𝑎 1 · 21 + . . . + 𝑎𝑘 −1 · 2𝑘 −1 and let aL = long proofs. Thus, one worthwhile research direction is to improve
the efficiency of these lattice-based protocols, such as [4, 39, 61].
[𝑎 0, 𝑎 1, . . . , 𝑎𝑘 −1 ]. We let 2k := [20, 21, . . . , 2𝑘 −1 ]. The prover shows
One area for improvement is in the repetition required to achieve
that it knows a vector aR such that:
negligible soundness error. Most of these schemes build on proto-
cols with constant soundness and must repeat the protocol Ω(𝜆)
(1) aL ◦ aR = 0k, (2) aL − aR = 1k, (3) aL ◦ 2k = 𝑥 times to achieve 𝜆 bits of security. When made non-interactive, this
amplification results in large proofs.
Conditions (1) and (2) show that each component of aL is in {0, 1}, Lattice- and code-based schemes typically use the binary decom-
using the standard inner product strategy described in Section 3. position approach, where the prover already holds a commitment
Condition (3) shows that indeed aL contains the binary decomposi- to the bits 𝑏 0, . . . , 𝑏𝑘 −1 of the value in question. The prover wants
tion of 𝑥. Í −1 𝑖
to show that 𝑘𝑖=0 2 · 𝑏𝑖 ≤ 𝛽 for some 𝛽. This condition can be
These three checks can be combined into a single invocation written equivalently as a system of equations over the bits modulo 2.
of the IPA. The IPA used employs a technique that reduces each Such systems of equations can be proven in zero-knowledge using
IPA of length-𝑛 vectors to an equivalent IPA over length- 𝑛2 vectors. Stern-like protocols [71].
Using this IPA results in a proofs size of 𝑂 (log2 𝑘). In this section, we present several ideas involved in lattice-based
Subsequent works [30, 73, 74] slightly optimize Bulletproofs but schemes. We first present a lattice-based commitment scheme, KTX
keep the scheme and its properties (in particular, its transparent [54], that is used in some of these ZKRPs. In doing so, we emphasize
setup and aggregation properties) largely the same. Bulletproofs+ several challenges common to many lattice-based schemes. We then
[30] slightly optimizes the Bulletproofs argument to reduce the give a high-level description of Stern-like protocols, a standard
number of group elements sent by the prover. Bulletproofs++ [38] technique for lattice-based zero-knowledge proofs. We also include
further improves efficiency by reducing both prover and verifier a table with newer lattice-based schemes that offer constructions
time. All of these Bulletproofs derivatives maintain the same aggre- tailored to range proofs. We do not include all generic lattice-based
gation properties. zero-knowledge proof constructions.
Bulletproofs++ [38] extends the recursive-style argument of Bul-
letproofs to work for any base, yielding asymptotic and concrete ef- KTX commitment scheme ([54]). The KTX commitment scheme
ficiency improvements. They do so using a lookup argument, which is based on the hardness of the Short Integer Solution (SIS) prob-
shows that committed values lie in some predefined table. Bul- lem. Let 𝜆 be the security parameter, 𝐿 be the number of √ bits to
letproofs++ applies this lookup argument to show digit validity be committed to, and 𝑞 be a prime modulus of size 𝑂 (𝜆 𝐿). Let
in arbitrary bases, allowing them to improve the proof size from 𝑚 = 2𝜆⌈log 𝑞⌉. The scheme uses public parameters (A, B) chosen
Bulletproofs’ 𝑂 (log2 𝑘) to 𝑂 (log2 𝑘/log2 log2 𝑘). uniformly from Z𝑞𝜆×𝐿 × Z𝑞𝜆×𝑚 . The commitment to a bit vector
BFGW [12] takes a different approach to the binary decomposi- x ∈ {0, 1}𝐿 is the vector
tion idea, using a polynomial commitment scheme. We detail this c=A·x+B·r (mod 𝑞)
approach in Section 3. This scheme assumes that the commitment
to a value 𝑥 is formed as commitment to a polynomial 𝑓 such that where r is sampled uniformly from {0, 1}𝑚 . This scheme is statisti-
𝑓 (1) = 𝑥. For some polynomial commitment schemes, such a com- cally hiding and computationally binding assuming that the public
mitment is nonstandard; conveniently, there is a version of KZG parameters are sampled uniformly.
commitments for which this is a Pedersen commitment. Note that KTX commitments are only approximately homomor-
BFGW works with any hiding and binding polynomial commit- phic. While it holds that:
ment scheme, yielding different properties based on the scheme A · x1 + B · r1 + A · x2 + B · r2 = A(x1 + x2 ) + B(r1 + r2 ) (mod 𝑞),
used. Notably, when instantiated with KZG commitments [52],
note that (x1 + x2 ) and (r1 + r2 ) may not be 0/1 vectors. Therefore,
BFGW has constant-sized proofs and is competitive efficiency-wise
𝐴(𝑥 1 + 𝑥 2 ) + 𝐵(𝑟 1 + 𝑟 2 ) is not necessarily a valid commitment to a
with Bulletproofs. Though KZG commitments require a trusted
setup, this setup ceremony is perhaps one of the most commonly 1 [Link]
SoK: Zero-Knowledge Range Proofs

Bulletproofs-Style Range Proofs (all DLOG-based)

Scheme Commitment Scheme Transparent Setup
Bulletproofs [19] Pedersen Y
Bulletproofs+ [30] Pedersen Y
Bulletproofs++ [38] Pedersen Y
Flashproofs [73] Pedersen Y
SwiftRange [74] Pedersen Y
DRZ [36] Pedersen N
ZZT+ [77] Pedersen N
Libert [55] Pedersen N
BFGW [12] + 𝐾𝑍𝐺 Ped Pedersen N
BFGW [12] + DARKs [21] DARK [21] Y with class groups; N with RSA

Figure 2: Properties of Bulletproofs-style proofs (all support aggregation and batched verification).

message in the message space. Many commitment schemes used Correctness under permutation: For all ((H, y), s) ∈ Z𝑛×𝑚
2 ×
by schemes in this section have similar limited homomorphism. Z𝑛2 × Z𝑚
2 and all permutations 𝜋 over [𝑚],
Note also that KTX commitments do not require a trusted setup
to generate the public parameters A, B, and 𝑞, as these matrices are s ∈ VALID ⇐⇒ 𝜋 (s) ∈ VALID
uniformly random and 𝑞 can be publicly known. Many lattice-based Hiding under permutation: For all s ∈ VALID, the distribution
commitment schemes similarly use random matrices as the public of 𝜋 (s) where 𝜋 is a random permutation over [𝑚] is uni-
parameters. All of the range proofs in this section offer transparent form over the set VALID
setup.
Even given a relation that does not fit the above requirements,
Stern-like protocols. Stern’s original protocol [71] proves in zero one can sometimes construct an associated relation (e.g., using a
knowledge that a committed bit vector has a certain Hamming common technique called extension) that does fall into this paradigm
weight; that is, it is a zero-knowledge argument of knowledge for and allows one to construct the desired argument.
the following relation: Other relations that can be proven under Stern’s paradigm in-
{((H, y, 𝑤), s) ∈ Z𝑛×𝑚 × Z𝑛2 × Z × Z𝑚 clude proving knowledge of one secret bit that may appear in multi-
2 2 : (wt(s) = 𝑤) ∧ (H · s = y)}
ple equations [57], or proving the knowledge of the product of two
The key idea behind Stern’s protocol is that the prover permutes secret bits [56]. Stern-like techniques underlie many older lattice-
the bits of s to obtain s′ which it reveals to the verifier. It also and code-based zero-knowledge protocols. However, recall that due
convinces the verifier that s′ is indeed a permutation of s under to the randomized tests, Stern’s original protocol has soundness
some 𝜋. s′ has the same Hamming weight as s, and the distribution error 2/3. In general, Stern-like protocols have constant soundness
of s′ is identical for any s satisfying the relation—therefore, s′ error and thus require roughly 𝜆 repetitions for 𝜆 bits of security.
reveals no information about s. At a high level, the prover samples a Thus, once made non-interactive via Fiat-Shamir, these protocols
random blinding factor r and constructs three commitments, which result in long proofs.
it sends to the verifier, as follows: Only recently have techniques emerged for avoiding Stern-like
𝑐 1 = Com(𝜋, H · r), 𝑐 2 = Com(𝜋 (r)), 𝑐 3 = Com(𝜋 (r ⊕ s)) protocols in constructing lattice-based ZKRPs, whose state-of-the-
art is thus not reflected in the previous ZKRP survey [64]. These
Here, 𝜋 (v) denotes the vector obtained by permuting the compo-
new techniques resulted in a surge of lattice-based constructions
nents of v under 𝜋. We now run one of three randomized checks:
with greatly improved efficiency, with proofs on the order of 10,000
the verifier sends the prover 𝑏 ∈ {0, 1, 2}. In each of these tests,
KB rather than 100,000 KB. However, this efficiency still lags behind
the prover opens a different combination of the commitments and
many non-lattice-based constructions with 5˜ 00-byte proofs, as seen
sends some additional information, e.g., 𝜋 (s) for 𝑏 = 2. The cheating
in Figure 5. Improving lattice-based schemes remains a fruitful
prover cannot pass all of these tests simultaneously and therefore
research direction.
fails with probability at least 1/3. Note that running all of these
[39] proposes techniques for avoiding the repetition that Stern-
tests at once would reveal information about s.
like protocols require for soundness. Their one-shot protocol saves
This permute-then-reveal strategy can be used for other rela-
a factor of 𝜆 computation time over repeated Stern-like protocols,
tions with similar properties. [65] provides an abstraction of such
though the proofs are still quite long as shown in Figure 5. One-shot
relations, in terms of some set VALID, which in Stern’s original
approaches are a fruitful direction for developing a more practical
protocol was VALID = {s : wt(s) = w}:
(in terms of both communication and computation) lattice-based
𝑅 = {((H, y), s) ∈ Z𝑛×𝑚
2 × Z𝑛2 × VALID : H · x = y} ZKRP.
 Miranda Christ, Foteini Baldimtsi, Konstantinos Kryptos Chalkias, Deepak Maram, Arnab Roy, and Joy Wang

ALS [4] uses an inner product argument in the 𝑛-ary decom- HashWires [26] are concretely quite efficient and use only hash
position approach, which results in significantly shorter proofs functions; thus, they are plausibly post-quantum secure and do
compared to other lattice-based constructions; see Figure 5. Its not require a trusted setup. However, they’re in a more stringent
proofs are roughly an order of magnitude larger than those of the trust model (they are credential-based range proofs as defined in
most efficient non-lattice schemes, such as Bulletproofs. Another Section 7), where there is a trusted issuer distributing commitments;
barrier to practical efficiency is that the proofs of ALS cannot be that is, soundness holds only if the commitment is well-formed. If
aggregated. the desired use case does have this type of trusted issuer, HashWires
is likely the most efficient scheme.
Among the remaining constructions, only the lattice-and code-
7 HASH CHAIN CONSTRUCTIONS based constructions are plausibly post-quantum secure, and thus if
Payword [70] was the first to use hash chains to construct a range this is a requirement this class is the only option. These schemes
proof for electronic payments, and HashWires [26] more recently have relatively large proof sizes (on the order of 10KB). Hash-based
revisited this idea with great efficiency improvements. In this ap- generic zero-knowledge proof systems may be considered as well.
proach, the core idea is that a commitment 𝐶𝑥 to a value 𝑥 is the If trusted setup is allowed, there are several schemes with very
output of a hash function evaluated 𝑥 times on a random value. short proofs and efficient verifier and prover. BFGW + KZG [12],
That is, 𝐶𝑥 = 𝐻 𝑥 (𝑟 ) for a random 𝑟 . The proof that 𝑥 is at least some Sharp [31], and Libert’s DLOG-based scheme [55] all have constant-
threshold 𝑡 is a value 𝜋 = 𝐻 𝑥 −𝑡 (𝑟 ) such that applying the hash sized proofs.
function 𝑡 more times to 𝜋 yields 𝐶𝑥 ; that is, 𝐻 𝑡 (𝜋) = 𝐶𝑥 . Since the If trusted setup is undesired, the Bulletproofs family is recom-
hash function is hard to invert, if 𝑥 − 𝑡 is negative it should be hard mended. Although many lattice- and code-based constructions do
for the prover to find an accepting 𝜋. Importantly, though, 𝐶𝑥 must not require a trusted setup, all Bulletproofs-style constructions have
be well-formed to ensure soundness. Thus, the setting where hash much shorter proofs. Even if a trusted setup is allowed, Bulletproofs-
chain constructions can be used is slightly more restricted. style constructions may still be worth considering depending on
HashWires [26] defines a relaxation of zero-knowledge range how much one values short proofs. Though their proof sizes are
proofs called credential-based range proofs (CBRPs). This notion is not constant, they seem to be the most commonly used in prac-
weaker than general ZKRPs in that the commitment is assumed to tice. We list CKLR [32] as well because it has comparable efficiency
be well-formed. Soundness is shown only under this assumption, to Bulletproofs on paper and also does not require trusted setup.
which is motivated by a setting where a trusted authority distributes However, it has several drawbacks: it does not allow batching, it is
commitments to parties that later prove that their committed values less efficient in practice due to its incompatibility with optimized
exceed some threshold. For example, the trusted authority may be libraries for common elliptic curves, and it offers a more relaxed
a government, and the commitments might be used for credentials notion of security. For certain applications where these drawbacks
including citizens’ ages. If a commitment is signed by this trusted are less important, CKLR may be worth considering.
authority, a verifier can be confident that the commitment is prop-
erly formed. Technically, this implies that when defining soundness
for CBRPs, the adversary cannot produce the commitment (as de- 9 EFFICIENCY COMPARISON
fined in the statement of Def. 2.3, but instead is honestly generated This section includes an efficiency comparison of various ZKRPs. In
(the full definition of CBRPs can be found in [26]). Figure 5, we compile both concrete and asymptotic proof sizes for
As described, the time to generate 𝜋 and 𝐶𝑥 is linear in 𝑥, and schemes of particular interest. The concrete proof sizes have been
the verifier time is linear in 𝑡. This is very expensive if we wish to extracted directly from the schemes’ respective papers, as the proof
prove that 𝑥 is in some large range [0, 2𝑘 − 1]; ideally, these costs sizes are largely the same across machine configurations. Groth16
should grow at most linearly with 𝑘. HashWires achieves this by has the shortest range proofs for a 64-bit range at 192 bytes whereas
observing that 𝑥 can be written in some base 𝑢, and the proof can HashWires has the shortest range proofs at 177 bytes for a 32-bit
be broken into several sub-chains to greatly improve this efficiency range.
(they called this a minimum dominating partition). This base can be In Figure 6, we record prover and verifier times for various
chosen to trade off between proof size and prover/verifier efficiency. schemes. We add many of our own benchmarks to ensure that
In our later discussion of efficiency, we include benchmarks for a va- configurations are normalized. In particular, we add a benchmark
riety of bases. We will see in Section 9 that HashWires is extremely for Groth16 [47] that was absent in prior work. The configurations
concretely efficient, in terms of both verifier time and prover time. for benchmarks that we pull from other papers are noted below.
Its proof sizes are also competitive with other constructions.
Other benchmarks. The Sharp paper’s [31] benchmark was run
on a MacBook Pro with a 2.3 GHz Intel core i7 processor and uses
8 CHOOSING THE CONSTRUCTION FAMILY the library libsecp256k1 [75]. The HashWires paper [26] includes a
FOR YOUR APPLICATION benchmark for Bulletproofs which is significantly faster than ours.
They used an AVX2 backend was used which significantly speeds
As there are dozens of ZKRP constructions, choosing the appro-
up curve arithmetic. We include this benchmark in addition to ours,
priate scheme for a particular application can be challenging. In
to reflect the speedup possible with their configuration.
Figure 4, we give a flowchart for narrowing down the class of
range proofs depending on constraints. The next section gives an Our benchmarks. We add our own benchmarks for Hashwires
efficiency comparison to help choose a scheme within this class. (base 16 and base 256), Bulletproofs, BFGW + KZG, and Groth16.
SoK: Zero-Knowledge Range Proofs

Lattice- and Code-Based Range Proofs

Scheme Commitment Scheme Assumptions Transp. Setup
LLNW [58] KTX SIVP Y
ESLL [39] UMC, HMC [5, 10, 40] Module-SIS, Module-LWE Y
YAZ+ [76] KTX LWE, SIS Y
ALS [4] BDLOP [5] Module-SIS, Module-LWE Y
CKLR [32]† BDLOP [5], as modified by [76] LWE, SIS Y
LNS [61]* BDLOP [5] Module-SIS, Module-LWE Y
LNP [60] ABDLOP [1, 5] Module-SIS, Module-LWE Y
Code-based [65] [65] 2-RNSD Y

Figure 3: Properties of lattice- and code-based range proofs. CKLR supports proof aggrega-
tion and batch verification, while it is unclear if the other schemes natively do so.
†CKLR [32] uses the square decomposition approach, but one of their constructions is lattice-
based.
*In addition to their standard range proof, LNS [61] also constructs an approximate range proof,
showing that 𝑧 ∈ [0, 𝑛 · 2𝑘 − 1] for some small 𝑛. While relaxed, this kind of approximate range
proof is sufficient for showing smallness of vectors, which is an application they target. Its
efficiency does not depend on 𝑘.

Start

Credential-based?
Yes No

HashWires [26] Post-quantum security?

Yes No

Lattice- & code-based Transparent setup?

Yes No

Bulletproofs family, BFGW + KZG [12],

CKLR [32] Sharp [31], [55]

Figure 4: Flowchart for choosing a range proof based on desired properties.

In all cases, we record the median running time over 100 runs. We attributions to original implementations. We explicitly chose a non-
plan to open source all of our benchmarks for reproducibility. Mac machine because rapidsnark leverages Intel Assembly to speed
For Groth16, we implement range proofs with two versions of up Groth16 proof generation.
the commitment scheme: the well-established Pedersen commit- Hashwires has the fastest proof generation and verification times.
ments and the new zk-friendly Poseidon commitments. We’ve used Both BFGW + KZG and Groth16 have constant-sized proofs but
Circom [8] for writing circuits and rapidsnark [50] for generating they are less computationally efficient than others. Groth16 has
and verifying the Groth16 proofs. the longest proof generation times. This is expected because we
The implementations for Hashwires, Bulletproofs and BFGW + are instantiating range proofs within a general-purpose zk proof
KZG are in Rust. All the benchmarks were run on a AMD EPYC system.
7443P 24-Core with 512GB of RAM (a [Link].x86 machine hosted It is worth noting that in practice the availability of a reliable
by [Link]). All implementations are in Rust and open sourced library may outweigh mild efficiency gains. Bulletproofs is the most
at [Link] with various widely used range proof in practice and is likely a good choice.
 Miranda Christ, Foteini Baldimtsi, Konstantinos Kryptos Chalkias, Deepak Maram, Arnab Roy, and Joy Wang

Groth16, though not tailored to range proofs, is one of the most is confidential, an outside observer cannot tell which recipient 𝐴
popular general-purpose zero-knowledge proof systems and offers actually paid.
several well supported libraries; we use Circom [8] and rapidsnark However, later transactions may suggest which 𝐵𝑖 received
[50]. From our benchmarks, one can see the efficiency gains offered nonzero currency from 𝐴, since 𝐵𝑖 ≠ 𝐵 will likely never spend
by tailored range proof solutions over generic solutions, which can their amounts of zero, which are useless. Thus, an observer can
be seen especially in the long prover times required for Groth16 infer that the party that spends its received amount is likely 𝐵. One
relative to the other range proofs. way to mitigate this issue is for 𝐴 to send a very small amount to
each 𝐵𝑖 ≠ 𝐵, to incentivize them to use this amount in a future
10 APPLICATIONS transaction. This introduces a trade-off between cost and the size
In this section we describe some practical and cryptographic appli- of the anonymity set.
cations of ZKRPs. Proofs of liabilities, reserves, and solvency. Proofs of solvency
allow exchanges or banks to show that they hold enough currency
10.1 Practical applications in reserves to pay out all customers. There are two aspects to this:
proving that the bank holds at least a certain amount in reserves,
Confidential transactions. Confidential transactions are an appli-
and proving that the bank holds at most that amount in liabilities.
cation of range proofs that’s especially relevant to cryptocurrencies,
These proofs should be privacy-preserving in that they don’t reveal
and have spurred research yielding significant efficiency improve-
users’ balances. Zero-knowledge range proofs have been used in
ments for ZKRPs in recent years. In most cryptocurrencies, such as
many schemes such as Provisions [22, 34, 51].
Bitcoin and Ethereum, transaction details are visible to everyone;
in particular, anyone with access to the underlying blockchain can Private voting. Consider the setting where users send encrypted
see the amounts of currency being transferred. votes to a group of authorities that may jointly decrypt the sums
Confidential transactions, initially proposed by Maxwell [63], of the votes but should not be able to learn any individual user’s
explored further in [18, 69], and deployed in applications such as vote. A challenge here is that users’ votes should be kept private,
Monero2 , aim to hide the amounts involved in each transaction. yet dishonest users should not be able to submit negative votes for
In Maxwell’s approach, these amounts are stored using Pedersen candidates that they dislike. [46] constructs several protocols in
commitments [67], and the sender must prove to the miners that this setting and mitigates this issue by requiring users to provide
the sum of the output amounts does not exceed the input amount. zero-knowledge range proofs of their votes’ validity.
In other words, if amt𝑖𝑛 is the input amount and each (amt𝑜𝑢𝑡 )𝑖 is Federated learning. In federated learning, many distributed clients
an output amount, train machine learning models on locally held data. These models
∑︁ are then aggregated into a global model, often by averaging their
amt𝑖𝑛 − (amt𝑜𝑢𝑡 )𝑖 ≥ 0 weights. To protect the privacy of clients’ data, these weights are
𝑖 often submitted under encryption. One concern in this setting is
However, this check on its own is not enough to ensure security. that a malicious client may submit an encrypted model with very
A malicious sender Eve could create coins by creating a transaction large weights, which could hurt the accuracy of the global model
with herself as the recipient where, for example, by skewing this average. One way to mitigate this problem is to
use input validation to ensure that each client’s model has bounded
amt𝑖𝑛 = 0, (amt𝑜𝑢𝑡 )1 = −1, (amt𝑜𝑢𝑡 )2 = 1 weights. Range proofs, used for federated learning by Acorn [7],
Since amt𝑖𝑛 = 0, this transaction does not require Eve to spend enable input validation even over encrypted weights, where clients
any coins. However, since Eve receives the output (amt𝑜𝑢𝑡 )2 = 1, can show that their inputs satisfy these bounds without revealing
she gains a coin. Yet this transaction satisfies the check above. Thus, their models in the clear.
confidential transactions also require the sender to prove that each Auctions. [3] uses range proofs for verifiable auctions. Range
output amount is positive: (amt𝑜𝑢𝑡 )𝑖 ≥ 0 for each 𝑖. proofs help an auctioneer to prove to an auditor that the sale price
Zero-knowledge range proofs give us a way to prove that a was set correctly without revealing the values of the bids. For exam-
committed (or encrypted) value 𝑥 lies in a range [0, 2𝑘 − 1] without ple, in a second-price auction with 𝑛 bids, (where the sale price is
revealing any other information about 𝑥. Thus, when applied to equal to the second-highest bid), the auctioneer can provide proofs
confidential transactions, they allow the sender to show exactly that 𝑛 − 1 bids were at most the sale price and one bid was greater
these checks without compromising confidentiality. than the sale price.
Receiver hiding. In addition to hiding the amounts involved in Anonymous credentials. In an anonymous credential system,
transactions, confidential transactions (enabled by range proofs) users are issued credentials that they can later use to prove facts
allow the sender to hide the identity of the receiver of a transac- about their attributes, such as their age. Ideally, these proofs should
tion. If party 𝐴 wants to send 𝑥 amount to party 𝐵, it can create a reveal no more than is necessary. For example, a user should be
transaction that sends a confidential amount to 𝑛 different users able to prove that their age is at least 18 without revealing their
𝐵 1, . . . , 𝐵𝑛 , one of which is actually 𝐵. The amounts sent to 𝐵𝑖 ≠ 𝐵 exact age. Here, range proofs can be used; this was a motivation for
are zero, and the amount sent to 𝐵 is 𝑥. Because the transaction [24, 26]. An additional desirable property motivated by this setting
2 [Link]
SoK: Zero-Knowledge Range Proofs

Scheme Proof size (bytes) Proof size (asymptotic)

32-bit range 64-bit range 𝑘-bit range
Bulletproofs 610 675 𝑂 (log 𝑘)
Bulletproofs++ - 416 𝑂 (log 𝑘/log log 𝑘)
BFGW + KZG † 576 576 𝑂 (1)
SharpGS 318 360 𝑂 (1)
SharpPo
SO 335 389 𝑂 (1)
SharpRSA 751 793 𝑂 (1)
HashWires (Base 16)† 231 263 𝑂 (log 𝑘)
HashWires (Base 256)† 167 199 𝑂 (log 𝑘)
Groth16 [47]§ 192 192 𝑂 (1)
Lattice-based ALS [4]** 5,900 - 𝑂 (𝑘)
Lattice-based ESLL [39] 58,000 93,000 Ω(𝑘)*
Lattice-based LNS [61]** 11,800 - 𝑜 (𝑘) ‡

Figure 5: Proof sizes in bytes for 64- and 32-bit ranges. The benchmark for
each of these schemes is from that scheme’s original paper, except where
otherwise noted.
† Our own benchmark.
§ Benchmark from HashWires [26], over the BLS12-381 curve.
*See [39] for the exact expression, which includes several other parameters not
described here. It is Ω(𝑘) and is large relative to the other schemes.
**The proof sizes for 64-bit ranges were not included in [4, 61]. Note that [4] has
linear growth, so extrapolating from its 5,900-bit proof for 32-bit ranges, its proof
for 64-bit ranges would be large.
‡ See [61] for the exact expression, which is complicated; it is sublinear in 𝑘.

Scheme Verifier Time (ms) Prover Time (ms)

32-bit range 64-bit range 32-bit range 64-bit range
Bulletproofs† 1.37 2.51 6.32 11.96
SharpPo
SO 0.74 0.75 0.97 1.17
Bulletproofs AVX2 (HashWires benchmark) - 0.938 - 6.516
Bulletproofs++ - 0.840 - 4.041
HashWires base 16† 0.002 0.002 0.003 0.061
HashWires base 256† 0.009 0.01 0.083 0.194
BFGW + KZG† 5.653 5.682 9.572 12.569
Groth16-Poseidon† 4 4 34.23 34.46
Groth16-Pedersen† 4 4 31.18 33.57

Figure 6: Verifier and prover times. See implementations: [Link]

benches
†Our own benchmark.

is unlinkability, where one cannot tell that two such proofs are for longitude lie in the proper intervals. This and the following ap-
the same commitment. plication, timestamping, are suggested applications of HashWires
[26].
Verified location. Range proofs can be used to show that a lo-
cation is in a permitted region, by proving that the latitude and Timestamping. Suppose one is issued a certificate with a secret
expiration date. Range proofs can be used to privately show that
 Miranda Christ, Foteini Baldimtsi, Konstantinos Kryptos Chalkias, Deepak Maram, Arnab Roy, and Joy Wang

the certificate is still valid; i.e., the current date is less than the dealer encrypts the shares for the recipients, there must be a way
expiration date. to verify that these recipients can indeed decrypt the ciphertexts to
learn well-formed shares.
Certificate transparency. Certificate transparency helps identify
[48] constructs a PVSS scheme using an encryption scheme
when certificate authorities misbehave. This can be done using
which requires solving a discrete logarithm problem for decryption.
a public transparency log, allowing all certificates to be publicly
To make this feasible, it uses chunked encryption, which breaks
viewable. One feature put forth in [41] is a way for auditors to
the plaintext into smaller chunks that allow this discrete logarithm
prove when a certificate has been incorrectly omitted from the log,
problem to be solved efficiently. It uses range proofs to show that the
without revealing which certificate has been excluded for privacy
chunks are indeed small enough. In another PVSS scheme, [45] uses
reasons. [41] uses ZKRPs to construct these zero-knowledge non-
Bulletproofs to construct proofs of correct encryption/decryption
inclusion proofs.
of LWE-based PVW ciphertexts [68].
Differential privacy. In some applications, encrypted consumer
Polynomial relations over the integers. [23, 25] shows how zero-
data is aggregated to support statistical studies. For example, en-
knowledge range proofs can be used to construct zero-knowledge
crypted electricity consumption data [62]. To enable privacy of
proofs of polynomial relations among the discrete logs of given
individual users, [62] added noise for differential privacy. A ZKRP
elements, even if these elements lie in different groups. This should
is used to prove that the added noise is within an accepted range.
be reminiscent of integer commitments, which let us prove rela-
tions about committed values over the integers, as is useful in the
10.2 Cryptographic applications four-square decomposition range proof constructions. Interestingly,
range proofs help achieve this functionality as well. More precisely,
Non-membership proofs. Zero-knowledge range proofs can be let G1 and G2 be two such groups with generators 𝑔1 and 𝑔2 respec-
used to construct zero-knowledge proofs of non-membership. In tively, and suppose we want to prove equality of discrete logarithms
other words, one can prove that a committed value 𝑥 does not of elements in these two groups. That is, for the simple equality
belong to some public set 𝑆, without revealing any additional in- relation, given 𝑦1 ∈ G1 and 𝑦2 ∈ G2 , the prover can convince the
formation about the committed value. The approach to doing so verifier that it knows 𝛼 such that 𝑦1 = 𝑔𝛼1 in G1 and 𝑦2 = 𝑔𝛼2 in
is to construct a Merkle tree containing elements of 𝑆 as leaves in
G2 . Showing also that 𝛼 lies in −2ℓ < 𝛼 < 2ℓ for appropriately
sorted order (if 𝑆 is not a set over the integers, assume some known
chosen ℓ suffices to show that log𝑔1 𝑦1 = log𝑔2 𝑦2 over Z. The range
mapping from the data universe to integers). A non-membership
proof used here serves to show that 𝛼 does not wrap around either
proof for 𝑥 is a zero-knowledge proof that one knows leaves 𝑠𝑖 and
group. The construction used in [23] uses this idea but is much
𝑠 𝑗 such that 𝑠𝑖 and 𝑠 𝑗 are adjacent and 𝑠𝑖 < 𝑥 < 𝑠 𝑗 . It is convenient
more efficient than combining these proofs naively.
to use a range proof for this second property.
[41] constructs non-membership proofs from zero-knowledge
11 RESEARCH GAPS
range proofs in this fashion and uses them for certificate trans-
parency, to allow an auditor to prove in zero knowledge that a Research Gap 1. Practical transparent constant-sized range proofs.
valid certificate is not included in the log. [58] combines range No zero-knowledge range proofs are practical, transparent, and
proofs with techniques from [57] to construct lattice-based non- have constant-sized proofs. Bulletproofs and its close relatives have
membership proofs as a generic primitive. transparent setup but have proofs of size 𝑂 (log 𝑘) for a 𝑘-bit range.
Well-formedness of LWE-based ciphertexts. When computing BFGW + KZG has constant-sized proofs but requires a trusted setup;
a function over multiple (potentially untrusted) parties’ encrypted BFGW + DARKs has a transparent setup but requires 𝑂 (log 𝑘)-sized
inputs, it is important to ensure that these ciphertexts are well proofs. CKLR has a transparent setup and has constant-sized proofs
formed. FHE schemes based on Ring LWE (RLWE) are often used but achieves only a relaxed notion of soundness. Furthermore, its
in such settings [16]. In such schemes, ciphertexts t take the form proofs are not as practically efficient as the above schemes because
t = As (over a ring), where A is a matrix representing the public key they use less common curves that optimized libraries do not sup-
and s is a vector representing the message and randomness used in port.
the encryption. This encryption is correct if and only if all entries Research Gap 2. Shorter (even amortized) lattice- or code-based
of s are bounded. Zero-knowledge range proofs have a natural ZKRPs.
application here: they can be used to show exactly this boundedness
The proofs of lattice-based and code-based ZKRPs are concretely
without revealing any information about the underlying plaintext.
quite long, as shown in Figure 5. For blockchain applications where
[37] constructs efficient proofs of well-formedness for RLWE
one must pay for the space used on-chain, this length is problematic,
ciphertexts by committing to the components of s using a Peder-
especially as these constructions do not support aggregation. In
sen commitment and using Bulletproofs [19] to prove that these
order to be competitive with constructions using other techniques
components are in the desired range. [55] follows a similar strategy
shown in Figure 5, the proof size must be under 1 KB.
but replaces the use of Bulletproofs with a more efficient zero-
knowledge range proof. Research Gap 3. Lattice- or code-based ZKRPs with multi-prover
aggregation.
Publicly verifiable secret sharing. Publicly verifiable secret shar-
ing allows an untrusted dealer to share a secret in a way that any Lattice-based ZKRPs with short proofs are desirable for confiden-
other party can verify that the secret was properly shared. If the tial transactions, as blockchains transition to post-quantum security.
SoK: Zero-Knowledge Range Proofs

In such settings, this size issue may be mitigated by multi-prover ag- [2] Martin R Albrecht, Valerio Cini, Russell WF Lai, Giulio Malavolta, and Sri Aravin-
gregation. Each block would then contain only an aggregate range daKrishnan Thyagarajan. Lattice-based snarks: Publicly verifiable, preprocessing,
and recursively composable. In Annual International Cryptology Conference, pages
proof for all included transactions. However, this aggregation must 102–132. Springer, 2022.
be multi-prover as these transactions may be made by many differ- [3] Sebastian Angel and Michael Walfish. Verifiable auctions for online ad exchanges.
In Proceedings of the ACM SIGCOMM 2013 conference on SIGCOMM, pages 195–
ent parties, each holding commitments to private values. Lattice- 206, 2013.
and code-based ZKRPs with multi-prover aggregation have not yet [4] Thomas Attema, Vadim Lyubashevsky, and Gregor Seiler. Practical product
been constructed, leading us to the this related research gap. proofs for lattice commitments. In Annual International Cryptology Conference,
pages 470–499. Springer, 2020.
[5] Carsten Baum, Ivan Damgård, Vadim Lyubashevsky, Sabine Oechsner, and Chris
Research Gap 4. Un-replayable credential-based range proofs. Peikert. More efficient commitments from structured lattice assumptions. In
International Conference on Security and Cryptography for Networks, pages 368–
For credential applications, one might want an interactive range 385. Springer, 2018.
proof that cannot be replayed. Suppose that Alice has a commitment [6] Mira Belenkiy, Jan Camenisch, Melissa Chase, Markulf Kohlweiss, Anna Lysyan-
of her age signed by a trusted credential issuer. Alice should be able skaya, and Hovav Shacham. Randomizable proofs and delegatable anonymous
credentials. In Shai Halevi, editor, Advances in Cryptology - CRYPTO 2009, 29th
to visit the DMV and prove in zero knowledge that her committed Annual International Cryptology Conference, Santa Barbara, CA, USA, August
age is above 16. An observer Bob should not be able to copy Alice’s 16-20, 2009. Proceedings, volume 5677 of Lecture Notes in Computer Science, pages
108–125. Springer, 2009. doi:10.1007/978-3-642-03356-8\_7.
commitment and re-use the transcript of the protocol to prove [7] James Bell, Adrià Gascón, Tancrède Lepoint, Baiyu Li, Sarah Meiklejohn, Mariana
(possibly falsely) that his age is above 16. If this range proof is Raykova, and Cathie Yun. { ACORN } : Input validation for secure aggregation. In
non-interactive, Bob can simply copy the proof and re-use it. This 32nd USENIX Security Symposium (USENIX Security 23), pages 4805–4822, 2023.
[8] Marta Bellés-Muñoz, Miguel Isabel, Jose Luis Muñoz-Tapia, Albert Rubio,
re-use might be avoided if the protocol is public-coin interactive, and Jordi Baylina. Circom: A circuit description language for building zero-
and the DMV issues a random challenge that requires knowledge knowledge applications. IEEE Transactions on Dependable and Secure Computing,
of the committed value to respond to. 2022.
[9] Eli Ben-Sasson, Iddo Bentov, Yinon Horesh, and Michael Riabzev. Scalable,
Can we make hash-chain-based range proofs that are un-replayable transparent, and post-quantum secure computational integrity. Cryptology ePrint
in this way? As credentials are a primary motivation for HashWires, Archive, 2018.
[10] Fabrice Benhamouda, Stephan Krenn, Vadim Lyubashevsky, and Krzysztof
un-replayability would be a nice property to add. Pietrzak. Efficient zero-knowledge proofs for commitments from learning with
errors over rings. In European symposium on research in computer security, pages
Research Gap 5. Integer commitments with full soundness with 305–325. Springer, 2015.
transparent setup. [11] Manuel Blum, Paul Feldman, and Silvio Micali. Non-interactive zero-knowledge
and its applications. In Proceedings of the twentieth annual ACM symposium on
CKLR [32] and Sharp [31] construct integer commitments with Theory of computing, pages 103–112, 1988.
[12] D Boneh, B Fisch, A Gabizon, and Z Williamson. A simple range proof from
a relaxed notion of soundness. In order to be used for confidential polynomial commitments, 2020. [Link]
transactions, they must be augmented with additional proof ele- [13] Dan Boneh and Matthew Franklin. Efficient generation of shared rsa keys.
ments from an RSA group or class group. The RSA version requires In Advances in Cryptology—CRYPTO’97: 17th Annual International Cryptology
Conference Santa Barbara, California, USA August 17–21, 1997 Proceedings 17,
a trusted setup, and the class group solution is not compatible with pages 425–439. Springer, 1997.
existing optimized libraries. Rather than patching soundness issues [14] Jonathan Bootle, Andrea Cerulli, Pyrros Chaidos, Jens Groth, and Christophe Pe-
tit. Efficient zero-knowledge arguments for arithmetic circuits in the discrete log
by adding these extra elements, it would be preferred to construct setting. In Advances in Cryptology–EUROCRYPT 2016: 35th Annual International
practically efficient integer commitments with full soundness and Conference on the Theory and Applications of Cryptographic Techniques, Vienna,
transparent setup. Austria, May 8-12, 2016, Proceedings, Part II 35, pages 327–357. Springer, 2016.
[15] Fabrice Boudot. Efficient proofs that a committed number lies in an interval.
In International Conference on the Theory and Applications of Cryptographic
Research Gap 6. Efficient post-quantum ZKRPs compatible with Techniques, pages 431–444. Springer, 2000.
LWE-based ciphertexts. [16] Zvika Brakerski, Craig Gentry, and Vinod Vaikuntanathan. (leveled) fully homo-
morphic encryption without bootstrapping. ACM Transactions on Computation
Zero-knowledge range proofs can be used to build verifiable Theory (TOCT), 6(3):1–36, 2014.
LWE-based encryption schemes as discussed in Appendix 10.2. [17] Ernest F Brickell, David Chaum, Ivan B Damgård, and Jeroen van de Graaf.
Gradual and verifiable release of a secret. In Advances in Cryptology—CRYPTO’87:
However, existing verifiable LWE-based encryption schemes con- Proceedings 7, pages 156–166. Springer, 1988.
structed using ZKRPs [37, 55] use discrete logarithm-based ZKRPs. [18] Benedikt Bünz, Shashank Agrawal, Mahdi Zamani, and Dan Boneh. Zether:
Towards privacy in a smart contract world. In International Conference on
Thus, while they obtain privacy against quantum adversaries due Financial Cryptography and Data Security, pages 423–443. Springer, 2020.
to the LWE-based encryption used, they lack soundness in verifica- [19] Benedikt Bünz, Jonathan Bootle, Dan Boneh, Andrew Poelstra, Pieter Wuille,
tion due to the DLOG-based range proofs. If there were efficient and Greg Maxwell. Bulletproofs: Short proofs for confidential transactions and
more. In 2018 IEEE symposium on security and privacy (SP), pages 315–334. IEEE,
post-quantum range proofs compatible with LWE-based cipher- 2018.
texts, one could obtain verifiable encryption with soundness against [20] Benedikt Bünz, Ben Fisch, and Alan Szepieniec. Transparent snarks from dark
quantum adversaries as well. While a lattice-based zkSNARK (e.g., compilers. In Advances in Cryptology–EUROCRYPT 2020: 39th Annual Interna-
tional Conference on the Theory and Applications of Cryptographic Techniques,
[2]) may work in theory, it may not be efficient (yielding long ci- Zagreb, Croatia, May 10–14, 2020, Proceedings, Part I 39, pages 677–706. Springer,
phertexts and heavy computation). An efficient lattice-based ZKRP 2020.
[21] Benedikt Bünz, Ben Fisch, and Alan Szepieniec. Transparent snarks from dark
that is compatible with lattice-based encryption would be more compilers. In Advances in Cryptology–EUROCRYPT 2020: 39th Annual Interna-
satisfactory. tional Conference on the Theory and Applications of Cryptographic Techniques,
Zagreb, Croatia, May 10–14, 2020, Proceedings, Part I 39, pages 677–706. Springer,
2020.
REFERENCES [22] Philippe Camacho. Secure protocols for provable security, 2014. [Link]
[1] Miklós Ajtai. Generating hard instances of lattice problems. In Proceedings of [Link]/philippecamacho/protocols-for-provable-solvency-38501620.
the twenty-eighth annual ACM symposium on Theory of computing, pages 99–108, [23] Jan Camenisch, BRICS, and Markus Michels. Separability and efficiency for
1996. generic group signature schemes. In Annual International Cryptology Conference,
 Miranda Christ, Foteini Baldimtsi, Konstantinos Kryptos Chalkias, Deepak Maram, Arnab Roy, and Joy Wang

pages 413–430. Springer, 1999. [44] Ariel Gabizon, Zachary J Williamson, and Oana Ciobotaru. Plonk: Permutations
[24] Jan Camenisch, Rafik Chaabouni, and Abhi Shelat. Efficient protocols for set over lagrange-bases for oecumenical noninteractive arguments of knowledge.
membership and range proofs. In International Conference on the Theory and Cryptology ePrint Archive, 2019.
Application of Cryptology and Information Security, pages 234–252. Springer, [45] Craig Gentry, Shai Halevi, and Vadim Lyubashevsky. Practical non-interactive
2008. publicly verifiable secret sharing with thousands of parties. In Annual Interna-
[25] Jan Camenisch and Markus Michels. Proving in zero-knowledge that a number tional Conference on the Theory and Applications of Cryptographic Techniques,
is the product of two safe primes. In Advances in Cryptology—EUROCRYPT’99: In- pages 458–487. Springer, 2022.
ternational Conference on the Theory and Application of Cryptographic Techniques [46] Jens Groth. Non-interactive zero-knowledge arguments for voting. In Applied
Prague, Czech Republic, May 2–6, 1999 Proceedings 18, pages 107–122. Springer, Cryptography and Network Security: Third International Conference, ACNS 2005,
1999. New York, NY, USA, June 7-10, 2005. Proceedings 3, pages 467–482. Springer, 2005.
[26] Konstantinos Chalkias, Shir Cohen, Kevin Lewi, Fredric Moezinia, and Yolan [47] Jens Groth. On the size of pairing-based non-interactive arguments. In Advances
Romailler. Hashwires: Hyperefficient credential-based range proofs. Proceedings in Cryptology–EUROCRYPT 2016: 35th Annual International Conference on the
on Privacy Enhancing Technologies, 4:76–95, 2021. Theory and Applications of Cryptographic Techniques, Vienna, Austria, May 8-12,
[27] Agnes Hui Chan, Yair Frankel, and Yiannis Tsiounis. Easy come - easy go 2016, Proceedings, Part II 35, pages 305–326. Springer, 2016.
divisible cash. In Kaisa Nyberg, editor, Advances in Cryptology - EUROCRYPT [48] Jens Groth. Non-interactive distributed key generation and key resharing. Cryp-
’98, International Conference on the Theory and Application of Cryptographic tology ePrint Archive, 2021.
Techniques, Espoo, Finland, May 31 - June 4, 1998, Proceeding, volume 1403 of [49] G.H. Hardy, E.M. Wright, D.R. Heath-Brown, and J. Silverman. An Introduction
Lecture Notes in Computer Science, pages 561–575. Springer, 1998. doi:10.1007/ to the Theory of Numbers. Oxford mathematics. OUP Oxford, 2008.
BFb0054154. [50] iden3. rapidsnark. [Link] 2023.
[28] Melissa Chase, Markulf Kohlweiss, Anna Lysyanskaya, and Sarah Meikle- [51] Yan Ji and Konstantinos Chalkias. Generalized proof of liabilities. In Proceedings
john. Malleable proof systems and applications. In Advances in Cryptology– of the 2021 ACM SIGSAC Conference on Computer and Communications Security,
EUROCRYPT 2012: 31st Annual International Conference on the Theory and Appli- pages 3465–3486, 2021.
cations of Cryptographic Techniques, Cambridge, UK, April 15-19, 2012. Proceedings [52] Aniket Kate, Gregory M Zaverucha, and Ian Goldberg. Constant-size com-
31, pages 281–300. Springer, 2012. mitments to polynomials and their applications. In Advances in Cryptology-
[29] Panagiotis Chatzigiannis and Foteini Baldimtsi. Miniledger: Compact-sized ASIACRYPT 2010: 16th International Conference on the Theory and Application of
anonymous and auditable distributed payments. In Elisa Bertino, Haya Shulman, Cryptology and Information Security, Singapore, December 5-9, 2010. Proceedings
and Michael Waidner, editors, Computer Security - ESORICS 2021 - 26th European 16, pages 177–194. Springer, 2010.
Symposium on Research in Computer Security, Darmstadt, Germany, October 4-8, [53] Jonathan Katz and Yehuda Lindell. Introduction to modern cryptography: principles
2021, Proceedings, Part I, volume 12972 of Lecture Notes in Computer Science, pages and protocols. Chapman and hall/CRC, 2007.
407–429. Springer, 2021. doi:10.1007/978-3-030-88418-5\_20. [54] Akinori Kawachi, Keisuke Tanaka, and Keita Xagawa. Concurrently secure
[30] Heewon Chung, Kyoohyung Han, Chanyang Ju, Myungsun Kim, and Jae Hong identification schemes based on the worst-case hardness of lattice problems.
Seo. Bulletproofs+: Shorter proofs for a privacy-enhanced distributed ledger. In Advances in Cryptology-ASIACRYPT 2008: 14th International Conference on
IEEE Access, 10:42081–42096, 2022. the Theory and Application of Cryptology and Information Security, Melbourne,
[31] Geoffroy Couteau, Dahmun Goudarzi, Michael Klooß, and Michael Reichle. Sharp: Australia, December 7-11, 2008. Proceedings 14, pages 372–389. Springer, 2008.
Short relaxed range proofs. In Proceedings of the 2022 ACM SIGSAC Conference [55] Benoit Libert. Vector commitments with short proofs of smallness. Cryptology
on Computer and Communications Security, pages 609–622, 2022. ePrint Archive, 2023.
[32] Geoffroy Couteau, Michael Klooß, Huang Lin, and Michael Reichle. Efficient [56] Benoît Libert, San Ling, Fabrice Mouhartem, Khoa Nguyen, and Huaxiong Wang.
range proofs with transparent setup from bounded integer commitments. In Zero-knowledge arguments for matrix-vector relations and lattice-based group
Annual International Conference on the Theory and Applications of Cryptographic encryption. In International Conference on the Theory and Application of Cryptol-
Techniques, pages 247–277. Springer, 2021. ogy and Information Security, pages 101–131. Springer, 2016.
[33] Geoffroy Couteau, Thomas Peters, and David Pointcheval. Removing the strong [57] Benoît Libert, San Ling, Khoa Nguyen, and Huaxiong Wang. Zero-knowledge
rsa assumption from arguments over the integers. In Annual International arguments for lattice-based accumulators: logarithmic-size ring signatures and
Conference on the Theory and Applications of Cryptographic Techniques, pages group signatures without trapdoors. In Advances in Cryptology–EUROCRYPT
321–350. Springer, 2017. 2016: 35th Annual International Conference on the Theory and Applications of
[34] Gaby G Dagher, Benedikt Bünz, Joseph Bonneau, Jeremy Clark, and Dan Boneh. Cryptographic Techniques, Vienna, Austria, May 8-12, 2016, Proceedings, Part II 35,
Provisions: Privacy-preserving proofs of solvency for bitcoin exchanges. In Pro- pages 1–31. Springer, 2016.
ceedings of the 22nd ACM SIGSAC Conference on Computer and Communications [58] Benoît Libert, San Ling, Khoa Nguyen, and Huaxiong Wang. Lattice-based zero-
Security, pages 720–731, 2015. knowledge arguments for integer relations. In Annual International Cryptology
[35] Ivan Damgård and Eiichiro Fujisaki. An integer commitment scheme based on Conference, pages 700–732. Springer, 2018.
groups with hidden order. Cryptology ePrint Archive, 2001. [59] Helger Lipmaa. On diophantine complexity and statistical zero-knowledge argu-
[36] Vanesa Daza, Carla Ràfols, and Alexandros Zacharakis. Updateable inner product ments. In Advances in Cryptology-ASIACRYPT 2003: 9th International Conference
argument with logarithmic verifier and applications. In Public-Key Cryptography– on the Theory and Application of Cryptology and Information Security, Taipei,
PKC 2020: 23rd IACR International Conference on Practice and Theory of Public-Key Taiwan, November 30–December 4, 2003. Proceedings 9, pages 398–415. Springer,
Cryptography, Edinburgh, UK, May 4–7, 2020, Proceedings, Part I 23, pages 527–557. 2003.
Springer, 2020. [60] Vadim Lyubashevsky, Ngoc Khanh Nguyen, and Maxime Plançon. Lattice-based
[37] Rafaël Del Pino, Vadim Lyubashevsky, and Gregor Seiler. Short discrete log zero-knowledge proofs and applications: shorter, simpler, and more general. In
proofs for fhe and ring-lwe ciphertexts. In IACR International Workshop on Public Annual International Cryptology Conference, pages 71–101. Springer, 2022.
Key Cryptography, pages 344–373. Springer, 2019. [61] Vadim Lyubashevsky, Ngoc Khanh Nguyen, and Gregor Seiler. Practical lattice-
[38] Liam Eagen. Bulletproofs++. Cryptology ePrint Archive, 2022. based zero-knowledge proofs for integer relations. In Proceedings of the 2020 ACM
[39] Muhammed F Esgin, Ron Steinfeld, Joseph K Liu, and Dongxi Liu. Lattice-based SIGSAC conference on computer and communications security, pages 1051–1070,
zero-knowledge proofs: new techniques for shorter and faster constructions 2020.
and applications. In Annual International Cryptology Conference, pages 115–146. [62] Daisuke Mashima and Arnab Roy. Privacy preserving disclosure of authenti-
Springer, 2019. cated energy usage data. In 2014 IEEE international conference on smart grid
[40] Muhammed F Esgin, Ron Steinfeld, Amin Sakzad, Joseph K Liu, and Dongxi Liu. communications (SmartGridComm), pages 866–871. IEEE, 2014.
Short lattice-based one-out-of-many proofs and applications to ring signatures. In [63] Greg Maxwell. Confidential transactions, 2016. [Link]
Applied Cryptography and Network Security: 17th International Conference, ACNS confidential_values.txt.
2019, Bogota, Colombia, June 5–7, 2019, Proceedings 17, pages 67–88. Springer, [64] Eduardo Morais, Tommy Koens, Cees van Wijk, and Aleksei Koren. A survey
2019. on zero knowledge range proofs and applications. CoRR, abs/1907.06381, 2019.
[41] Saba Eskandarian, Eran Messeri, Joseph Bonneau, and Dan Boneh. Certificate URL: [Link] arXiv:1907.06381.
transparency with privacy. Proceedings on Privacy Enhancing Technologies, 4:232– [65] Khoa Nguyen, Hanh Tang, Huaxiong Wang, and Neng Zeng. New code-based
247, 2017. privacy-preserving cryptographic constructions. In Advances in Cryptology–
[42] Yair Frankel, Philip D MacKenzie, and Moti Yung. Robust efficient distributed ASIACRYPT 2019: 25th International Conference on the Theory and Application of
rsa-key generation. In Proceedings of the thirtieth annual ACM symposium on Cryptology and Information Security, Kobe, Japan, December 8–12, 2019, Proceed-
Theory of computing, pages 663–672, 1998. ings, Part II 25, pages 25–55. Springer, 2019.
[43] Eiichiro Fujisaki and Tatsuaki Okamoto. Statistical zero knowledge protocols to [66] Valeria Nikolaenko, Sam Ragsdale, Joseph Bonneau, and Dan Boneh. Powers-of-
prove modular polynomial relations. In Advances in Cryptology—CRYPTO’97: tau to the people: Decentralizing setup ceremonies. In International Conference
17th Annual International Cryptology Conference Santa Barbara, California, USA on Applied Cryptography and Network Security, pages 105–134. Springer, 2024.
August 17–21, 1997 Proceedings 17, pages 16–30. Springer, 1997.
SoK: Zero-Knowledge Range Proofs

[67] Torben Pryds Pedersen. Non-interactive and information-theoretic secure verifi- 𝑅 we have,
able secret sharing. In Annual international cryptology conference, pages 129–140.  
Springer, 1991. CRS ← CRSGen(1𝜆 ) :
Pr ≥ 1 − negl(𝜆)(𝜆) .
[68] Chris Peikert, Vinod Vaikuntanathan, and Brent Waters. A framework for Vf (CRS, 𝑥, Prove(CRS, 𝑥, 𝑤)) = 1]
efficient and composable oblivious transfer. In Annual international cryptology
conference, pages 554–571. Springer, 2008. Definition A.3 (Zero-Knowledge). A NIZK proof system, Π, for a
[69] Andrew Poelstra. Mimblewimble. 2016.
[70] Ronald L Rivest and Adi Shamir. Payword and micromint: Two simple micro- given relation R and its corresponding language L R , we define a
payment schemes. In International workshop on security protocols, pages 69–87. pair of algorithms Sim = (Sim1, Sim2 ) as the simulator. The simu-
Springer, 1996. lator operates such that Sim′ (CRS, tpd, 𝑥, 𝑤) = Sim2 (CRS, tpd, 𝑥)
[71] Jacques Stern. A new paradigm for public key identification. IEEE Transactions
on Information Theory, 42(6):1757–1768, 1996. when (𝑥, 𝑤) ∈ R, and Sim′ (CRS, tpd, 𝑥, 𝑤) = ⊥ when (𝑥, 𝑤) ∉ R,
[72] Alin Tomescu. Range proofs from polynomial commitments, re-explained, March where tpd is a trapdoor. For 𝑏 ∈ {0, 1}, we define the experiment
2020. [Link] Π
ZK𝑏,Sim (1𝜆 , A) in fig. 7. The associated advantage of an adversary
polynomial-commitments-reexplained/.
[73] Nan Wang and Sid Chi-Kin Chau. Flashproofs: Efficient zero-knowledge argu- A is defined as
ments of range and polynomial evaluation with transparent setup. In Interna- Π
tional Conference on the Theory and Application of Cryptology and Information ZK Pr[ZK0,Sim (1𝜆 , A) = 1]−
Security, pages 219–248. Springer, 2022. 𝐴𝑑𝑣 Π,A,Sim (𝜆) B Π .
Pr[ZK1,Sim (1𝜆 , A) = 1]
[74] Nan Wang, Sid Chi-Kin Chau, and Dongxi Liu. Swiftrange: A short and effi-
cient zero-knowledge range argument for confidential transactions and more. A NIZK proof system Π achieves perfect and computational zero-
Cryptology ePrint Archive, 2023.
[75] Pieter Wuille. libsecp256k1, 2018. [Link] knowledge, w.r.t a simulator Sim = (Sim1, Sim2 ), if for all PPT
[76] Rupeng Yang, Man Ho Au, Zhenfei Zhang, Qiuliang Xu, Zuoxia Yu, and William ZK
adversaries A we have 𝐴𝑑𝑣 Π,A,Sim ZK
(𝜆) = 0, and 𝐴𝑑𝑣 Π,A,Sim (𝜆) ≤
Whyte. Efficient lattice-based zero-knowledge arguments with standard sound-
ness: construction and applications. In Advances in Cryptology–CRYPTO 2019: negl(𝜆)(𝜆), respectively.
39th Annual International Cryptology Conference, Santa Barbara, CA, USA, August
18–22, 2019, Proceedings, Part I 39, pages 147–175. Springer, 2019.
[77] Zibo Zhou, Zongyang Zhang, Hongyu Tao, Tianyu Li, and Boyu Zhao. Efficient Π
ZK0,Sim (1𝜆 , A) Π
ZK1,Sim (1𝜆 , A)
inner product arguments and their applications in range proofs. IET Information
Security, 17(3):485–504, 2023.
CRS ← CRSGen(1𝜆 ) (CRS, tpd) ← Sim1 (1𝜆 )
′
𝛼 ← A Prove(CRS,·,·) (CRS) 𝛼 ← A Sim (CRS,tpd,·,·) (CRS)
A FORMAL DEFINITION OF NIZKS return 𝛼 return 𝛼
NIZK. Non-interactive zero knowledge (NIZK) [11] proof is a cryp-
tographic primitive enables a prover to convince a (sceptical) veri- Figure 7: Zero-knowledge security property of a NIZK, Π.
fier about the truth of a statement without disclosing any additional
information in one round of communication. A NIZK can be build
in two possible settings: either in Random Oracle Model (ROM) Definition A.4 (Extractability [28]). A NIZK proof system Π for a
or in the Common Reference String (CRS) model. Next we recall relation R and the language 𝐿 is called extractable if there exists
the definition of NIZK proofs in the CRS model and list their main a pair of algorithms Ext := (Ext1, Ext2 ) called extractors with the
security properties. following advantage for all PPT adversaries A:

Definition A.1 (Non-Interactive Zero-Knowledge Proofs). Let R CRS

𝐴𝑑𝑣 Π,A B| Pr[CRS ← CRSGen(1𝜆 ); 1 ← A (CRS)]−
be an NP-relation, the language L R can be defined as L R =
{𝑥 | ∃ 𝑤 s.t. (𝑥, 𝑤) ∈ R}, where 𝑥 and 𝑤 denote public statement Pr[(CRS, st) ← Ext1 (1𝜆 ); 1 ← A (CRS)] | ,
and secret witness, respectively. A NIZK, denoted by Π, for R con- and
sists of three main PPT algorithms Π = (CRSGen, Prove, Vf) de-
fined as follows:  (CRS , st ) ← Ext (1𝜆 ) 
Ext Ext 1
• Π.CRSGen(1𝜆 , R) → CRS: The CRS generation algorithm
 
 
takes the unary representation of the security parameter Ext
 (𝑥, 𝜋) ← A (CRS Ext ) : 
𝐴𝑑𝑣 Π,A (𝜆) B Pr   .
𝜆 and relation R as inputs and returns a set of common  Vf (CRS Ext , 𝑥, 𝜋) = 1 ∧ 

reference string CRS as output.
 
 (𝑥, Ext2 (CRSExt, stExt, 𝑥, 𝜋)) ∉ R 
• Prove(CRS, 𝑥, 𝑤) → 𝜋: The prove algorithm takes CRS, a
 
A NIZK proof system Π is called extractable, w.r.t an extrac-
public statement 𝑥 and a secret witness 𝑤 as inputs, and it CRS ≤ negl(𝜆) (𝜆) and 𝐴𝑑𝑣 Ext (𝜆) ≤
tor Ext = (Ext1, Ext2 ), if 𝐴𝑑𝑣 Π,A Π,A
then returns a proof 𝜋 as output.
• Vf (CRS, 𝑥, 𝜋) → 0/1: The verify algorithm takes CRS, a negl(𝜆)(𝜆). Additionally, we refer to an extractable NIZK proof as
public statement 𝑥 and a proof 𝜋 as input, and it then returns a non-interactive zero-knowledge proof of knowledge, or NIZKPoK
a bit indicating either the acceptance, 1, or rejection, 0, as in short.
output. Succinctness. Zero-Knowledge Succinct Non-Interactive Ar-
guments of Knowledge, zkSNARK in short, are NIZKPoK proofs
Informally speaking, a NIZK proof has three main security prop-
that adhere to succinctness requirements. These proofs maintain
erties: Completeness, Zero-Knowledge and soundness (extractabil-
communication complexity (proof size) at sublinear levels, and in
ity), which we formally recall them in below:
some cases, the verifier’s computational workload remains sublin-
Definition A.2 (Completeness). A NIZK proof, Π, is called com- ear, regardless of the size of the witness. In this paper, we primarily
plete, if for all security parameters, 𝜆, and all pairs of valid (𝑥, 𝑤) ∈ concentrate on zkSNARKs, ensuring that the proofs are short and
 Miranda Christ, Foteini Baldimtsi, Konstantinos Kryptos Chalkias, Deepak Maram, Arnab Roy, and Joy Wang

verification cost is low while the mentioned security definitions for

NIZK remain applicable for them.