{"id":13632448,"url":"https://github.com/nulltea/zk-timelock","last_synced_at":"2025-10-14T12:44:56.974Z","repository":{"id":61607154,"uuid":"544469990","full_name":"nulltea/zk-timelock","owner":"nulltea","description":"Arkworks circuits for verifiable time-lock encryption","archived":false,"fork":false,"pushed_at":"2022-10-14T14:19:43.000Z","size":349,"stargazers_count":84,"open_issues_count":1,"forks_count":5,"subscribers_count":3,"default_branch":"main","last_synced_at":"2024-05-22T04:27:43.178Z","etag":null,"topics":["arkworks","bls12-381","cryptography","encryption","timelock","zero-knowledge"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nulltea.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-10-02T15:05:23.000Z","updated_at":"2024-04-05T11:10:44.000Z","dependencies_parsed_at":"2022-10-20T10:15:40.553Z","dependency_job_id":null,"html_url":"https://github.com/nulltea/zk-timelock","commit_stats":null,"previous_names":["nulltea/zk-timelock"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nulltea%2Fzk-timelock","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nulltea%2Fzk-timelock/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nulltea%2Fzk-timelock/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nulltea%2Fzk-timelock/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nulltea","download_url":"https://codeload.github.com/nulltea/zk-timelock/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":223772232,"owners_count":17199973,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["arkworks","bls12-381","cryptography","encryption","timelock","zero-knowledge"],"created_at":"2024-08-01T22:03:03.398Z","updated_at":"2025-10-14T12:44:51.924Z","avatar_url":"https://github.com/nulltea.png","language":"Rust","funding_links":[],"categories":["Rust"],"sub_categories":[],"readme":"# \u003cp align=\"center\"\u003e zk-timelock \u003c/p\u003e\nThis repo contains arithmetic circuits for verifiable time-lock encryption made using [arkworks-rs](https://github.com/arkworks-rs) toolkit. For more details on such an encryption scheme see [`drand/tlock`](https://github.com/drand/tlock) (Go) and [`timoth-y/tlock-rs`](https://github.com/timoth-y/tlock-rs) (Rust) repos.\n\n## Overview\nThe algorithm implemented here is the Boneh-Franklin's [\\[1\\]](https://crypto.stanford.edu/~dabo/papers/bfibe.pdf) identity-based encryption (IBE) (see Rust code [here](https://github.com/timoth-y/tlock-rs/blob/main/tlock/src/ibe.rs#L19)). The main challenge with translating this scheme into an arithmetic circuit comes from the heavy use of target group (pairing product) operations, specifically `gt` on `fr` multiplication.\n\nAll operations must be projected on top of the BLS12-381, as this is the only curve currently supported by the [drand](https://drand.love/) threshold network. This poses a problem as there is no commonly known pairing-friendly curve whose scalar field equals the base field of BLS12-381, which is needed for efficient KZG-based SNARKs.\n\nThere are multiple ways to tackle mentioned problems:\n1. Change projective curve (e.g. BLS12-377 [\\[2\\]](https://eprint.iacr.org/2018/962) that can be embedded into BW6-761 [\\[3\\]](https://eprint.iacr.org/2020/351))\n    - trade-off: requires changes to the drand protocol.\n2. Simulate BLS12-381 using non-native arithmetic\n    - trade-off: huge performance overhead.\n3. Find an application-specific curve that could embed BLS12-381 base field\n    - trade-off: such curves would have low FFT space, but we can leverage Gemini [\\[4\\]](https://eprint.iacr.org/2022/420) proving system to handle such brittle fields.\n4. Use [Halo2](https://github.com/zcash/halo2) proving system that defers all the pairings to the very end (i.e. accumulators), this makes nonnative operations cheaper\n    - trade-off: dev tools to construct a halo2 circuit are currently lacking.\n\nFor the sake of experiments, this repo provides circuits for the first three approaches. For the third approach, it also introduces [`YT6-776`](./src/yt6_776) - an application-specific curve that embeds BLS12-381's base field. See details about it [here](./src/yt6_776).\n\n## Circuits\n- [`Circuit\u003cE: Pairing, P: Bls12Parameters\u003e`](https://github.com/timoth-y/zk-timelock/blob/main/src/circuits.rs#L41): a generic-curve circuit with native arithmetic only. Can be proved using the Groth16 system with BLS12-377/BW6-671 curve combination.\n- [`NonnativeCircuit\u003cC: CurveGroup\u003e`](https://github.com/timoth-y/zk-timelock/blob/main/src/circuits.rs#L327): a circuit that simulates BLS12-381 base fields using non-native arithmetic. Can be proved by using the Groth16 system with any projective/pairing curves combination (also BLS12-377/BW6-671 here.\n- [`GeminiNativeCircuit`](https://github.com/timoth-y/zk-timelock/blob/main/src/circuits.rs#L327): a modified native that (currently) comes without input variables (see [this issue](https://github.com/arkworks-rs/gemini/issues/5) for details). Can be proved using the Gemini system with a BLS12-381/YT6-776 curve combination.\n\n## Benchmarks\nThe experimental results can be found on [BENCHMARKS.md](./BENCHMARKS.md).\n\n## Usage\nTo perform benchmarks on your machine run `cargo bench` command.\n\nFor examples of each circuit usage see [`benches/ibe_benchmark.rs`](https://github.com/timoth-y/zk-timelock/blob/main/benches/ibe_benchmark.rs).\n\n## Acknowledgements\nI greatly thank [Weikeng Chen](https://github.com/weikengchen) for sharing method of creating application-specific curves [\\[5\\]](https://eprint.iacr.org/2022/1145.pdf) and all the helpful discussions about it.\n\n## References\n- \\[1\\] Identity-Based Encryption from the Weil Pairing https://crypto.stanford.edu/~dabo/papers/bfibe.pdf\n- \\[2\\] Zexe: Enabling Decentralized Private Computation https://eprint.iacr.org/2018/962\n- \\[3\\] Optimized and secure pairing-friendly elliptic curves suitable for one layer proof composition https://eprint.iacr.org/2020/351\n- \\[4\\] Gemini: Elastic SNARKs for Diverse Environments https://eprint.iacr.org/2022/420\n- \\[5\\] YAFA-108/146: Implementing Ed25519-Embedding Cocks-Pinch Curves in Arkworks-rs https://eprint.iacr.org/2022/1145.pdf\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnulltea%2Fzk-timelock","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnulltea%2Fzk-timelock","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnulltea%2Fzk-timelock/lists"}