{"id":36589328,"url":"https://github.com/cryptimeleon/subzero","last_synced_at":"2026-01-12T08:09:50.368Z","repository":{"id":45994642,"uuid":"376124673","full_name":"cryptimeleon/subzero","owner":"cryptimeleon","description":"A declarative domain-specific language for the specification of zero knowledge protocols","archived":false,"fork":false,"pushed_at":"2025-07-30T20:29:40.000Z","size":47067,"stargazers_count":3,"open_issues_count":3,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-09-10T06:27:10.835Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://cryptimeleon.org/subzero/","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cryptimeleon.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2021-06-11T19:32:12.000Z","updated_at":"2025-07-30T20:29:44.000Z","dependencies_parsed_at":"2025-09-10T04:54:43.505Z","dependency_job_id":"d48fdc8d-44c2-43c0-b7a2-6da9525a2a3f","html_url":"https://github.com/cryptimeleon/subzero","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/cryptimeleon/subzero","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cryptimeleon%2Fsubzero","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cryptimeleon%2Fsubzero/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cryptimeleon%2Fsubzero/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cryptimeleon%2Fsubzero/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cryptimeleon","download_url":"https://codeload.github.com/cryptimeleon/subzero/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cryptimeleon%2Fsubzero/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28337224,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-12T06:09:07.588Z","status":"ssl_error","status_checked_at":"2026-01-12T06:05:18.301Z","response_time":98,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-01-12T08:09:46.133Z","updated_at":"2026-01-12T08:09:50.353Z","avatar_url":"https://github.com/cryptimeleon.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"Subzero - Zero Knowledge Compiler\n=================================\nSubzero is a declarative domain-specific language (DSL) that enables the specification of zero knowledge protocols.\nThis website features a code editor for writing Subzero programs, and a compiler to generate a Java project that can execute the protocol described by Subzero code.\n\nDocumentation\n=============\n- [Getting started](#getting-started)\n   - [Compiler website](#compiler-website)\n   - [Local build](#local-build)\n\n- [Tutorial](#tutorial)\n   - [Introduction](#introduction)\n   - [DLog equality](#dlog-equality)\n   - [Pedersen commitment](#pedersen-commitment)\n   - [Basic proof of partial knowledge](#basic-proof-of-partial-knowledge)\n   - [Pointcheval Sanders credential](#pointcheval-sanders-credential)\n\n- [The Subzero language](#the-subzero-language)\n   - [Type system](#type-system)\n   - [Program layout](#program-layout)\n   - [Protocol name](#protocol-name)\n   - [Function definitions](#function-definitions)\n   - [Variable declarations](#variable-declarations)\n   - [The proof expression](#the-proof-expression)\n   - [Scope](#scope)\n   - [Identifiers](#identifiers)\n   - [Expressions](#expressions)\n   - [Values](#values)\n   - [Operators](#operators)\n   - [Pairings](#pairings)\n   - [Comments](#comments)\n\n- [Compiler website features](#compiler-website-features)\n   - [Code editor](#code-editor)\n   - [Example protocols](#example-protocols)\n   - [Compiler](#compiler)\n   - [LaTeX preview](#latex-preview)\n   - [Environment](#environment)\n   - [Options](#options)\n\n- [Additional language details](#additional-language-details)\n   - [Implementation](#implementation)\n   - [Generated Java project](#generated-java-project)\n   - [Syntax specification](#syntax-specification)\n\n\u003c!--startExclude--\u003e\n\nGetting started\n===============\n\nCompiler website\n----------------\nThe Subzero compiler is available through the [cryptimeleon website](https://cryptimeleon.org/subzero).\n\nLocal build\n-----------\nYou can also run an instance of the website yourself as a [Docker](https://www.docker.com/) container after cloning the repo.\n```\ngit clone https://github.com/cryptimeleon/subzero.git\ncd subzero/\ndocker build -t subzero .\ndocker run -p 8080:8080 subzero:latest\n```\n\nGo to http://localhost:8080/subzero\n\u003c!--endExclude--\u003e\n\nTutorial\n========\nIntroduction\n------------\nA Subzero program describes a single zero knowledge protocol. The language grammar is designed to be close to protocols in literature, similar to Camenisch-Stadler notation.\n\nAll of the examples in this tutorial can be easily loaded into the code editor using the [example protocols dropdown](#example-protocols). It is recommended to follow along in the code editor, and use the [Environment](#environment) tab to view extra information about the protocol.\n\nDLog equality\n-------------\nWe begin with a simple first protocol that proves the equality of two discrete logarithms.\n\n$$\n\\begin{align*}\n\\mathrm{ZK} \u0026 \\\\{(k): \\\\\n\u0026 b = a ^ {k} \\land h = g ^ {k} \\\\\n\u0026 \\\\}\n\\end{align*}\n$$\n\n```\nwitness: k\nb = a^k \u0026 h = g^k\n```\n\nThe protocol starts with a witness variable declaration list, that declares a single witness variable `k`. Below this is the proof expression, which describes the protocol's proof of knowledge. It consists of a conjunction expression (`\u0026`) composed of two equality (`=`) expressions, `b = a^k` and `h = g^k`.\n\nThe witness variable `k` is declared explicitly. The other variables, `a`, `b`, `g`, and `h` are common input variables that have been declared implicitly.\n\nEvery variable has an algebraic type, that is either `group element` or `exponent`, which is inferred based on its context. By default, a variable is `group element` unless it appears in a specific `exponent` context. In the protocol above, `k` has type `exponent`, since it appears in the exponentiation (`^`) expressions `a^k` and `g^k`. The other variables `a`, `b`, `g`, and `h` have type `group element`. The [Environment](#environment) tab can be used to see the inferred type of all variables.\n\nPedersen commitment\n-------------------\n$$\n\\begin{align*}\npp \u0026 = (h_{1},h_{2},g); \\\\\n\\\\\n\\mathrm{ZK} \u0026 \\\\{(m_{1},m_{2},r): \\\\\n\u0026 C_{1} = h_{1} ^ {m_{1}} \\cdot h_{2} ^ {m_{2}} \\cdot g ^ {r} \\land 0 \\leq m_{1} + m_{2} \\leq 100 \\\\\n\u0026 \\\\}\n\\end{align*}\n$$\n\n```\n[Pedersen commitment with range proof]\n\npp : h_1, h_2, g\nwitness : m_1, m_2, r\n\nC_1 = h_1^m_1 * h_2^m_2 * g^r \u0026 0 \u003c= m_1 + m_2 \u003c= 100\n\n```\n\nThis protocol introduces a few more concepts. First, we start the protocol with a protocol name in between square brackets. This string will be used to name the Java classes in the generated project; if omitted, a default will be used.\n\nNext, we have a new variable declaration list beginning with the keyword `pp`, which explicitly declares public parameter variables. Once again, witness variables are explicitly declared, and the remaining variables are implicitly declared common input variables.\n\nThe protocol also has a double inequality expression `0 \u003c= m_1 + m_2 \u003c= 100`, which represents a range proof. Subzero supports both single and double inequalities with the usual relational operators (`\u003c`, `\u003e`, `\u003c=`, `\u003e=`). `*` and `+` are used for multiplication and addition expressions. `/` and `-` are used similarly for division and subtraction expressions.\n\nBasic proof of partial knowledge\n--------------------------------\n$$\n\\begin{align*}\n\\mathrm{ZK} \u0026 \\\\{(x,r): \\\\\n\u0026 g ^ {x} \\cdot h ^ {r} = C \\land (h ^ {r} = C_{2} \\lor h ^ {x} = C_{2}) \\\\\n\u0026 \\\\}\n\\end{align*}\n$$\n\n```\n[Partial knowledge]\n\nwitness: x,r;\ng^x * h^r = C\n\u0026 (h^r = C_2 | h^x = C_2)\n```\nThis protocol contains a disjunction (`|`) expression `h^r = C_2 | h^x = C_2` which represents a proof of partial knowledge. Because the two operand equality expressions `h^r = C_2` and `h^x = C_2` are quite similar, we can move these out into a function `checkDLog` and replace the expressions with two function calls.\n\n```\n[Partial knowledge]\n\ncheckDLog(y) {\n  h^y = C_2\n}\n\nwitness: x,r;\ng^x * h^r = C\n\u0026 (checkDLog(r) | checkDLog(x))\n```\n\nThe function definition consists of the function identifier `checkDLog`, the parameter declaration list (only `y`), and the function body expression `h^y = C_2`. Function bodies can implicitly declare common input variables (`C_2` in this case), and use implicitly declared common input variables from the proof expression or other function definitions (`h` in this case). All function definitions must appear after the protocol name (if present) and before variable declarations.\n\nSince this function is rather short, we may want it to be inlined in the generated code. To do this, we simply add the `inline` keyword.\n```\ninline checkDLog(y) {\n  h^y = C_2\n}\n```\n\nPointcheval Sanders credential\n------------------------------\n$$\n\\begin{align*}\n\\mathrm{ZK} \u0026 \\\\{(age,pos,r): \\\\\n\u0026 e(\\sigma_1',\\tilde{X}) \\cdot e(\\sigma_1',\\tilde{Y}_1 ^ {age} \\cdot \\tilde{Y}_2 ^ {pos}) \\cdot e(\\sigma_1',\\tilde{g}) ^ {r} = e(\\sigma_2',\\tilde{g}) \\land (age \u003c 18 \\lor pos = 17) \\\\\n\u0026 \\\\}\n\\end{align*}\n$$\n\n```\n[Pointcheval Sanders credential showing]\n\nwitness: age, pos, r\n\ne(sigma_1', X~) * e(sigma_1', Y_1~^age * Y_2~^pos) * e(sigma_1', g~)^r = e(sigma_2', g~) // valid signature\n\u0026 (age \u003c 18 | pos = 17) // young or student\n\n```\n\nThe final example protocol shows a few more features. Single-line comments start with `//`. Multi-line comments are also supported between `/*` and `*/`.\n\nVariable identifiers support more than letters and numbers, to allow special formatting in the [LaTeX preview](#latex-preview) tab. Underscores allow for subscripts, tildes allow for overtildes, single quotes allow for prime symbols, and names of Greek letters will display as the Greek symbol.\n\nFinally, there are several function calls to the `e` function. This is the built-in pairing function, which allows for constructing pairing-based schemes, and takes in two `group element` expressions to pair.\n\nThe next section will further explain the language details introduced in this section.\n\nThe Subzero language\n====================\n\nType system\n-----------\nSubzero uses a type system where variables have both an algebraic type, and a proof role (type and role for short).\n\n### Types\nThere are three distinct types in Subzero: `boolean`, `exponent`, and `group element`. Variables and function parameters can either be of type `exponent` or `group element`. A function's return type can be `boolean`, `exponent`, or `group element`. Types are not declared; instead, all variable, parameter and return types are inferred based on their context, and semantic errors will be shown if they are used in conflicting type contexts.\n\n### Roles\nThe role determines the usage of a variable within the protocol. Every variable is either a witness variable, a public parameter variable, a common input variable, or a local variable. Witness and public parameter variables are declared explicitly in [variable declaration lists](#variable-declarations). Local variables are declared in the parameter list of their corresponding function definition. All other variables are implicitly declared as common input variables; alternatively, common input variables can also be declared explicitly in a variable declaration list.\n\nThe role is not relevant for function return values, or when passing in function arguments.\n\n### Group Types\nAll variables of algebraic type `group element` also have a group type. By default, the group type is `G1`. When pairings are used in a protocol, then the group type can also be `G2` or `GT`. See [pairings](#pairings) for more details.\n\nNote that function parameters and function return types will never have a group type, even if they have type `group element`.\n\nProgram layout\n--------------\nA Subzero program specifies a single zero knowledge proof of knowledge protocol.\nA program consists of an optional protocol name, optional function definitions, variable declarations, and a proof expression. The protocol must specify these in the given order.\n\n```\n// Protocol name\n[Example protocol]\n\n// Function definitions\nfoo(a, b) {\n   ...\n}\n\ninline bar(c, d) {\n   ...\n}\n\n// Variable declarations\nwitness: ...\npp: ...\ncommon: ...\n\n// Proof expression\n...\n\n```\n\nProtocol name\n-------------\nThe protocol name is an optional string that will be used to name the generated classes during compilation; if omitted, a default protocol name will be used. It must be the first line of the program, between a pair of square brackets. The name must start with a letter, and can be followed by letters, numbers, underscores, and spaces.\n\n```[My example protocol]```\n\nDuring generation, the protocol name will be converted to a PascalCase prefix for class names. For example, the above name will become the prefix `MyExampleProtocol`.\n\nFunction definitions\n--------------------\nZero or more functions can be defined at the start of the program, after the protocol name. A function definition starts with a function name, which must be a valid [function identifier](#function-identifiers). This is followed by a comma-separated list of parameter names inside parentheses, and finally a single expression inside curly braces. Both the expression and right curly brace can be optionally followed by a semicolon. Parameter names must be valid [variable identifiers](#variable-identifiers).\n\n```\nfoo(a, b, c) {\n  a + b + c;\n};\n\nbar(a, b, c) {\n   a = b \u0026 2 \u003c= c \u003c 10\n}\n```\n\nSince all functions are pure functions (i.e. no side effects), they are also inlinable. To make a function inlined, prefix it with the `inline` keyword. In the generated Java code, a non-inlined function will generate as a class method and function calls to that method, whereas an inline function will generate the function body expression in place of every function call to it.\n\n```\ninline baz(g, x) {\n   g^x\n}\n```\n\nAny variable that references a parameter in the function is called a local variable. Any other variable is a global variable, and can reference a witness variable, public parameter variable, or common input variable.\n\nAll parameters in the parameter list should be referenced at least once by a local variable, so that type inference can occur. A warning will appear if there is a parameter with no variable referencing it.\n\nNote that function definitions cannot contain function calls or disjunctions at this time.\n\nVariable declarations\n---------------------\nVariables are declared after any function definitions.\n\nA variable declaration list begins with a role keyword with an optional colon, followed by a comma-separated list of variable names, with an optional semicolon at the end. The valid keywords are `witness` for witness variables, `pp` for public parameter variables, and `common` for common input variables. A protocol must contain at least one witness variable.\n\nWitness variables and public parameter variables are always declared explicitly, whereas common input variables are declared implicitly by default (and thus a `common` declaration list is never necessary). Common input variables can also be declared explicitly if desired; if at least one common input variable is declared explicitly, then no common input variables are allowed to be implicitly declared.\n\nImplicit declaration of common input variables allows for more readable protocols that more closely resemble protocols in literature. Explicit declaration of common input variables ensures that variables are not implicitly declared by accident as a result of typos.\n\n```\npp: a, b, c;\nwitness: d, e, f;\ncommon: g, h, i;\n```\n\n```\nwitness x, r\npp m1\n```\n\n```\npp: m1, m2;\nwitness: x, r;\ncommon: g, h;\n```\n\nThe proof expression\n--------------------\nThis expression describes the zero knowledge argument of knowledge protocol, and is written after all variable declarations. It consists of a single logical or comparison expression followed by an optional semicolon. The expression can also be prefixed with the keyword `statement` with an optional colon after.\n\nWhen the protocol is run, this expression evaluates to either true or false, signifying whether the protocol was run successfully or not.\n\n```\nb = a^k \u0026 h = g^k\n```\n\n```\nstatement: g^x * h^r = C_1 \u0026 h^r = C_2;\n```\n\nNothing can be written after the proof expression.\n\nScope\n-----\nAll function parameters have scope limited to the function body. All other variables, whether declared explicitly in a variable declaration list, or declared implicitly in the proof expression or any function body, have global scope.\n\nIdentifiers\n-----------\nSubzero has two types of identifiers: function identifiers and variable identifiers. All identifiers are case-sensitive.\n\n### Function identifiers\nA function identifier must begin with a letter, and can contain letters and numbers.\n\n### Variable identifiers\nA variable identifier must start with a letter, and can contain letters and numbers, as well as some special characters under certain conditions.\n\nThe identifier can contain special formatting fragments, which allow for formatting of variables in the [LaTeX Preview](#latex-preview) tab. If you do not intend to use the preview, the rest of this section can be skipped.\n\nThe variable can have any number of terminating single quotes, or terminating substrings `Prime`, to add prime symbols after a variable name.\n\n\u003ctable\u003e   \n\u003ctr\u003e\n\u003ctd\u003e\n\n```\nx'\nx'''\nxPrimePrime\n```\n\u003c/td\u003e\n\u003ctd\u003e\n   \n$$\nx',  x''',  x''\n$$\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/table\u003e\n\nThe variable can have a terminating underscore, or terminating substring `Bar`, to add a bar over the variable name.\n\u003ctable\u003e   \n\u003ctr\u003e\n\u003ctd\u003e\n   \n```\nx_\nxBar\n```\n\u003c/td\u003e\n\u003ctd\u003e\n   \n$$\n\\bar{x}\n$$\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/table\u003e\n\nThe variable can have a terminating tilde, or terminating substring `Tilde`, to add a tilde over the variable name.\n\u003ctable\u003e   \n\u003ctr\u003e\n\u003ctd\u003e\n   \n```\nx~\nxTilde\n```\n\u003c/td\u003e\n\u003ctd\u003e\n   \n$$\n\\tilde{x}\n$$\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/table\u003e\n\nThe variable can have a terminating substring `Hat`, to add a hat over the variable name. Although intuitive, the caret cannot be used to add a hat as it is used as the exponentiation operator.\n\u003ctable\u003e   \n\u003ctr\u003e\n\u003ctd\u003e\n   \n```\nxHat\n```\n\u003c/td\u003e\n\u003ctd\u003e\n   \n$$\n\\hat{x}\n$$\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/table\u003e\n\nThe variable can have a nonstarting and nonterminating underscore, or a nonstarting and nonterminating substring `Sub`, to add the portion immediately after as a subscript.\n\u003ctable\u003e   \n\u003ctr\u003e\n\u003ctd\u003e\n   \n```\nx_2\nx_new\nxSub1\nxSubA\n```\n\u003c/td\u003e\n\u003ctd\u003e\n   \n$$\nx_2, x_{new}, x_1, x_A\n$$\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/table\u003e\n\nIn the case where multiple of these features are used in an identifier, the fragments have a designated order. If symbols (`~`, `_`) are used for the tilde/bar, then the subscript fragment goes before the tilde/bar fragment, which goes before the prime fragment. Otherwise if the substrings (`Tilde`, `Bar`, `Hat`) are used, the tilde/bar/hat fragment goes before the subscript fragment, which goes before the prime fragment.\n\u003ctable\u003e   \n\u003ctr\u003e\n\u003ctd\u003e\n   \n```\nx_1~'\nxTildeSub1Prime\n```\n\u003c/td\u003e\n\u003ctd\u003e\n   \n$$\n\\tilde{x}_1'\n$$\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/table\u003e\n\nIf the name of a variable (excluding all other formatting fragments) is the name of a Greek letter in all lowercase letters, it will be displayed in the LaTeX preview as the Greek symbol. For uppercase Greek letters, simply capitalize the first letter of the name. Some shorthand names of Greek letters are also allowed.\n\u003ctable\u003e   \n\u003ctr\u003e\n\u003ctd\u003e\n   \n```\ntheta\nsigma_1'\neps\n```\n\u003c/td\u003e\n\u003ctd\u003e\n   \n$$\n\\theta, \\sigma_1', \\epsilon\n$$\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/table\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eClick here to view all supported Greek letters\u003c/summary\u003e\n\n| Name | Greek letter | \n|:----:|:------------:|\n|alpha|\u0026alpha;|\n|beta|\u0026beta;|\n|gamma|\u0026gamma;|\n|Gamma|\u0026Gamma;|\n|delta|\u0026delta;|\n|Delta|\u0026Delta;|\n|eps|\u0026epsilon;|\n|epsilon|\u0026epsilon;|\n|zeta|\u0026zeta;|\n|eta|\u0026eta;|\n|theta|\u0026theta;|\n|Theta|\u0026Theta;|\n|iota|\u0026iota;|\n|kappa|\u0026kappa;|\n|lambda|\u0026lambda;|\n|Lambda|\u0026Lambda;|\n|mu|\u0026mu;|\n|nu|\u0026nu;|\n|xi|\u0026xi;|\n|Xi|\u0026Xi;|\n|pi|\u0026pi;|\n|Pi|\u0026Pi;|\n|rho|\u0026rho;|\n|sigma|\u0026sigma;|\n|Sigma|\u0026Sigma;|\n|tau|\u0026tau;|\n|ups|\u0026upsilon;|\n|upsilon|\u0026upsilon;|\n|Ups|\u0026Upsilon;|\n|Upsilon|\u0026Upsilon;|\n|phi|\u0026phi;|\n|Phi|\u0026Phi;|\n|chi|\u0026chi;|\n|psi|\u0026psi;|\n|Psi|\u0026Psi;|\n|omega|\u0026omega;|\n|Omega|\u0026Omega;|\n\u003c/details\u003e\n\nGreek letters which share the same symbol as an English letter, such as capital alpha (A), are not supported. \n\nAll Subzero identifiers with special formatting will be converted to valid Java identifiers during compilation.\n\nExpressions\n-----------\nAn expression is a value or an operation (which consists of an operator and operand expressions) that evaluates to a specific value of a certain type. There are three kinds of expression: logical, comparison, and algebraic.\n\nLogical expressions include conjunctions and disjunctions, and function calls which return a logical expression. They evaluate to a `boolean` value.\nComparison expressions include equalities and inequalities, and function calls which return a comparison expression. They evaluate to a `boolean` value.\nAlgebraic expressions include sums, products, exponentiations, negations, variables, number literals, and function calls which return an algebraic expression. They evaluate to either an `exponent` or `group element` value.\n\nValues\n------\n### Function calls\nA function call consists of the name of a valid function followed by a comma-delimited list of arguments enclosed in parentheses, where each argument is an algebraic expression.\n\n```foo(a + b, bar(x,r), x, y^(a+b))```\n\nThe type of a function call is the return type of the corresponding function.\n\n### Number literals\nA number literal consists of any integer, and has type `exponent`.\n\n### Variables\nVariable names must use a valid [variable identifier](#variable-identifiers).\n\nOperators\n---------\nThe language has logical, comparison, and algebraic operators. These include various unary, binary, and ternary operators.\n\nThe following table shows all operators, with their precedence and associativity (when relevant). Operators are listed in descending precedence from top to bottom.\n\n| Precedence | Operator | Description | Associativity | Category |\n|:----------:|:--------:|:-----------:|:-------------:|:--------:|\n| 1 | x() | Function call | - | - |\n| 2 | -x | Unary negation | - | Algebraic |\n| 3 | x ^ y | Exponentiation | Right to left | Algebraic |\n| 4 | x * y | Multiplication | Left to right | Algebraic |\n| 4 | x / y | Division | Left to right | Algebraic |\n| 5 | x + y | Addition | Left to right | Algebraic |\n| 5 | x - y | Subtraction | Left to right | Algebraic |\n| 6 | x = y | Equality | - | Comparison | Comparison |\n| 6 | x \u003e y | Greater than | - | Comparison |\n| 6 | x \u003c y | Less than | - | Comparison |\n| 6 | x \u003e= y | Greater than or equal | - | Comparison |\n| 6 | x \u003c= y | Less than or equal | - | Comparison |\n| 6 | x \u003e y \u003e= z | Double inequality | - | Comparison |\n| 7 | x \\| y | Disjunction | Left to right | Logical |\n| 8 | x \u0026 y | Conjunction | Left to right | Logical |\n\nAn expression surrounded by parentheses is also an expression, so the precedence order does not need to be remembered as long as sufficient parentheses are used.\n\n### Conjunction (logical AND)\nConjunction expressions evaluate to a `boolean`, and both operands must be `boolean`. An expression evaluates to true if and only if the expressions A and B both evaluate to true.\n\n```A \u0026 B```\n\n### Disjunction (logical OR)\nDisjunction expressions evaluate to a `boolean`, and both operands must be `boolean`. An expression evaluates to true if and only if at least one of the expressions A and B evaluate to true.\n\n```A | B```\n\n### Equality\nEquality expressions evaluate to a `boolean`, and the operands must be either both `exponent` or both `group element`.\n\n```A = B```\n\n### Inequality\nInequality expressions evaluate to a `boolean`, and both operands must have type `exponent`.\n\n#### Greater than\n```A \u003e B```\n\n#### Less than\n```A \u003c B```\n\n#### Greater than or equal to\n```A \u003e= B```\n\n#### Less than or equal to\n```A \u003c= B```\n\n#### Double inequality\n```A \u003e B \u003e C```  \n\n```A \u003e= B \u003e C```  \n\n```A \u003e B \u003e= C```  \n\n```A \u003e= B \u003e= C```  \n\n```A \u003c B \u003c C```  \n\n```A \u003c= B \u003c C```  \n\n```A \u003c B \u003c= C```  \n\n```A \u003c= B \u003c= C```\n\nComparisons (equalities and inequalities) can also have a subprotocol name specified after the expression that will appear in the generated code. It uses the same syntax as the protocol name.\n\n```g^x * h^r = C [Example subprotocol]```\n\n### Sum\nSum expressions evaluate to an `exponent`, and both operands must have type `exponent`.\n\n#### Addition\n```A + B```\n\n#### Subtraction\n```A - B```\n\n### Product\nProduct expressions evaluate to an `exponent` or a `group element`. The operands must both have type `exponent`, or both have type `group element`.\n\n#### Multiplication\n```A * B```\n\n#### Division\n```A / B```\n\n### Exponentiation\nExponentiation expressions evaluate to an `exponent` if the left operand is of type `exponent`, or to a `group element` if the left operand is of type `group element`. The right operand must be of type `exponent`.\n\n```A ^ B```\n\n### Unary negation\nNegation expressions evaluate to an `exponent` and the operand must be of type `exponent`.\n\n```-A```\n\nPairings\n--------\nSubzero currently has one built-in function: the pairing function `e`. The function takes two `group element` parameters, and returns a `group element`. Any `group element` variables within the expression passed as the second parameter will have group type `G2`, and any variables involved in an equality expression that contains a pairing (but not passed into the function) will have group type `GT`. All other `group element` variables have group type `G1`.\n\nFor example, in the expression `z = e(g, h)^x`, `z` has group type `GT`, `g` has group type `G1`, and `h` has group type `G2`.\n\nIf a `group element` variable is used in multiple contexts with conflicting group types, a semantic error will be shown.\n\nComments\n--------\nSingle line comments start with `//`.\nMulti line comments start with `/*` and end with `*/`.\nNote that Subzero comments will not be included anywhere in the generated Java code.\n\n```\n// This is a single line comment\n/* This is\n   a multi-line\n   comment */\n```\n\nCompiler website features\n=========================\nThe compiler website has many features to help make writing Subzero protocols easier.\n\nCode editor\n-----------\nThe editor has the following features:\n- Syntax highlighting\n- Syntax errors\n- Descriptive semantic errors and warnings (hover over the red X or yellow triangle)\n- Bracket matching\n- Auto-indentation\n- Control font size with `Ctrl+'+'` and `Ctrl+'-'`\n- Use `Ctrl+'f'` and `Ctrl+'h'` for find and replace\n- Use `Ctrl+'s'` to save the Subzero program code\n\nExample protocols\n-----------------\nA dropdown menu allows you to load existing example protocols into the editor. This is an easy way to become familiar with the language.\n\nCompiler\n--------\nOnce a valid Subzero program is written, it can be compiled. This will generate a complete Java program (buildable with [Gradle](https://gradle.org/)) that specifies and runs the protocol using the Cryptimeleon [Math](https://github.com/cryptimeleon/math) and [Craco](https://github.com/cryptimeleon/craco) libraries. Note that because syntax and semantic errors are raised as a program is typed, once the protocol is free from errors in the editor then there should be no errors during compilation. If any compilation error is encountered, opening a [Github issue](https://github.com/cryptimeleon/subzero/issues) would be appreciated.\n\nLaTeX preview\n-------------\nThis tab displays formatted LaTeX based on the code in the editor. If the Subzero code is free of syntax and semantic errors, the LaTeX Preview tab will display a formatted LaTeX interpretation of the Subzero code. Because variable identifiers support special formatting fragments, this allows for variables with subscripts, tildes, bars, hats, primes, and Greek letters. A TEX file can also be downloaded containing the LaTeX text.\n\nEnvironment\n-----------\nThe Environment tab displays information about all variables and functions, and updates as a protocol is written. For variables, the proof role and algebraic type are displayed, as well as the group type when relevant. For functions, the parameter types, return type, and origin (built-in function or user-defined) are displayed. Clicking a column header will also sort the table rows by that column.\n\nOptions\n-------\nBy default, the program will be compiled and downloaded as a zipped Java project. In the Options tab you can choose to generate only certain classes of the project, and also view the Java classes in the website editor. This is useful for seeing how changes in the Subzero code affect the generated Java classes, without having to constantly unzip a full project.\n\nAdditional language details\n===========================\nThe following section provides extra information about the language that is not necessary to know to write protocols, but provides greater insight for those who are curious.\n\nImplementation\n--------------\nThe Subzero compiler is written in Java and [Xtend](https://www.eclipse.org/xtend/), using the [Xtext](https://www.eclipse.org/Xtext/) language development framework. Some classes are written in Xtend to leverage language features convenient for code generation, including:\n- [Template strings](https://www.eclipse.org/xtend/documentation/203_xtend_expressions.html#templates)\n- [Switch with type guards](https://www.eclipse.org/xtend/documentation/203_xtend_expressions.html#switch-expression)\n- [Dispatch methods](https://www.eclipse.org/xtend/documentation/202_xtend_classes_members.html#polymorphic-dispatch)\n- [Extension methods](https://www.eclipse.org/xtend/documentation/202_xtend_classes_members.html#extension-methods)\n\nThe compiler website is built with [Svelte](https://svelte.dev/). It uses [Ace](https://ace.c9.io/) for the code editor, [MathJax](https://www.mathjax.org/) for the LaTeX preview, and [Carbon Design System](https://github.com/carbon-design-system/carbon) for the UI. \n\nGenerated Java project\n----------------------\nWhen a Subzero protocol is compiled, it will generate a full Java project buildable with Gradle, containing 2-3 classes.\n\n### Protocol class\nThis class provides the specification of the zero knowledge proof of knowledge protocol, using the Cryptimeleon Math and Craco libraries.\n\n### Public parameters class\nThis class is required whenever the protocol contains an inequality expression (a range proof), or a disjunction expression (a partial proof of knowledge) that is contained anywhere in a conjunction expression.\n\n### Test class\nThis class will create an instance of the protocol and run it. Variables will be instantiated with default values (which may result in the test failing), and thus this class should be edited as needed.\n\nSyntax specification\n--------------------\nThe following describes the [EBNF](https://en.wikipedia.org/wiki/Extended_Backus%E2%80%93Naur_form) (Extended Backus-Naur Form) specification of the DSL grammar.\n\nNote that some programs that follow this syntax are not necessarily valid, as there are additional semantic rules for a valid protocol. The grammar is designed to be more permissive than necessary to allow for detailed semantic errors, as opposed to obscure syntax errors.\n\nA Subzero program consists of a single ```\u003cprotocol\u003e```.\n\n```\n\u003cprotocol\u003e ::= \n   \u003cprotocol-name\u003e?\n   \u003cfunction-definition\u003e* \n   (\n      ('witness' ':'? (\u003cwitness\u003e (',' \u003cwitness\u003e)*) ';'?) |\n      ('pp' ':'? (\u003cpp\u003e (',' \u003cpp\u003e)*) ';'?) |\n      ('common' ':'? (\u003cconstant\u003e (',' \u003cconstant\u003e)*) ';'?)\n   )*\n   ('statement' ':'?)? \u003cexpression\u003e ';'?\n\n\u003cwitness\u003e ::= \u003cidentifier\u003e\n\u003cpp\u003e ::= \u003cidentifier\u003e\n\u003cconstant\u003e ::= \u003cidentifier\u003e\n\n\u003cfunction-definition\u003e ::= \n   'inline'? \u003cidentifier\u003e\n   '(' (\u003cparameter\u003e (',' \u003cparameter\u003e)*)? ')'\n   '{' \u003cexpression\u003e ';'? '}' ';'?\n\u003cparameter\u003e ::= \u003cidentifier\u003e\n\n\u003cexpression\u003e ::= \u003cdisjunction\u003e\n\u003cdisjunction\u003e ::= \u003cconjunction\u003e | \u003cdisjunction\u003e '|' \u003cconjunction\u003e\n\u003cconjunction\u003e ::= \u003ccomparison\u003e | \u003cconjunction\u003e '\u0026' \u003ccomparison\u003e\n\u003ccomparison\u003e ::= \u003csum\u003e | \u003ccomparison\u003e \u003coperator\u003e \u003csum\u003e (\u003coperator\u003e \u003csum\u003e)? \u003cprotocol-name\u003e?\n\u003csum\u003e ::= \u003cproduct\u003e | \u003csum\u003e '+' \u003cproduct\u003e | \u003csum\u003e '-' \u003cproduct\u003e\n\u003cproduct\u003e ::= \u003cpower\u003e | \u003cproduct\u003e '*' \u003cpower\u003e | \u003cproduct\u003e '/' \u003cpower\u003e\n\u003cpower\u003e ::= \u003cconstruct\u003e | \u003cconstruct\u003e '^' \u003cpower\u003e\n\u003cconstruct\u003e ::= \u003ctuple\u003e | \u003cnegative\u003e\n\u003ctuple\u003e ::= '(' \u003cdisjunction\u003e (',' \u003cdisjunction\u003e)+ ')'\n\u003cnegative\u003e ::= \u003cvalue\u003e | '-' \u003cvalue\u003e\n\u003cvalue\u003e ::= \u003cfunction-call\u003e | \u003cvariable\u003e | \u003cnumber-literal\u003e | '(' \u003cbrackets\u003e ')'\n\u003cfunction-call\u003e ::= \u003cidentifier\u003e '(' (\u003cargument\u003e (',' \u003cargument\u003e)*)? ')'\n\u003cargument\u003e ::= \u003cdisjunction\u003e\n\u003cvariable\u003e ::= \u003cidentifier\u003e\n\u003cnumber-literal\u003e ::= [0-9]+\n\u003cbrackets\u003e ::= \u003cdisjunction\u003e\n\n\u003coperator\u003e ::= '=' | '\u003c' | '\u003c=' | '\u003e' | '\u003e='\n\u003cprotocol-name\u003e ::= '[' [a-zA-z] [a-zA-Z0-9_' ]* ']'\n\u003cidentifier\u003e ::= [a-zA-Z] [a-zA-Z0-9_~']*\n```\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcryptimeleon%2Fsubzero","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcryptimeleon%2Fsubzero","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcryptimeleon%2Fsubzero/lists"}