1
2
3
4
5
6
7
8
9
10
11

// Note that a private key is a scalar value (int)
// whereas a public key is a point in space (Tuple[int, int])
const zk_identity = (private_key, public_keys) => {// derive_public_from_private is a function that// returns a public key given a private keyderived_public_key = derive_public_from_private(private_key)for (let pk in public_keys):if derived_public_key === pk:return truereturn false
}

1
2
3
4
5
6
7

npm install circom circomlib snarkjs websnarkmkdir contracts
mkdir circuits
mkdir -p build/circuitstouch circuits/circuit.circom

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

include "../node_modules/circomlib/circuits/bitify.circom";
include "../node_modules/circomlib/circuits/escalarmulfix.circom";
include "../node_modules/circomlib/circuits/comparators.circom";template PublicKey() {// Note: private key needs to be hashed, and then pruned// to make sure its compatible with the babyJubJub curvesignal private input in;signal output out[2];component privBits = Num2Bits(253);privBits.in <== in;var BASE8 = [5299619240641551281634865583518297030282874472190772894086521144482721001553,16950150798460657717958625567821834550301663161624707787222815936182638968203];component mulFix = EscalarMulFix(253, BASE8);for (var i = 0; i < 253; i++) {mulFix.e[i] <== privBits.out[i];}out[0] <== mulFix.out[0];out[1] <== mulFix.out[1];
}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57

include ...template PublicKey() {...
}template ZkIdentity(groupSize) {// Public Keys in the smart contract// Note: this assumes that the publicKeys// are all uniquesignal input publicKeys[groupSize][2];// Prover's private keysignal private input privateKey;// Prover's derived public keycomponent publicKey = PublicKey();publicKey.in <== privateKey;// Make sure that derived public key needs to// matche to at least one public key in the// smart contract to validate their identityvar sum = 0;// Create a component to check if two values are// equalcomponent equals[groupSize][2];for (var i = 0; i < groupSize; i++) {// Helper component to check if two// values are equal// We don't want to use ===// as that will fail immediately if// the predicate doesn't hold trueequals[i][0] = IsEqual();equals[i][1] = IsEqual();equals[i][0].in[0] <== publicKeys[i][0];equals[i][0].in[1] <== publicKey.out[0];equals[i][1].in[0] <== publicKeys[i][1];equals[i][1].in[1] <== publicKey.out[1];sum += equals[i][0].out;sum += equals[i][1].out;}// equals[i][j].out will return 1 if the values are equal// and 0 if the values are not equal// Therefore, if the derived public key (a point in space)// matches a public keys listed in the smart contract, the sum of// all the equals[i][j].out should be equal to 2sum === 2;
}// Main entry point
component main = ZkIdentity(2);

1
2
3
4
5
6
7
8
9
10
11

$(npm bin)/circom circuits/circuit.circom -o build/circuits/circuit.json# snarkjs setup might take a few seconds
$(npm bin)/snarkjs setup --protocol groth -c build/circuits/circuit.json --pk build/circuits/provingKey.json --vk build/circuits/verifyingKey.json# Generate solidity lib to verify proof
$(npm bin)/snarkjs generateverifier --pk build/circuits/provingKey.json --vk build/circuits/verifyingKey.json -v contracts/Verifier.sol# You should now have a new "Verifier.sol" in your contracts directory
# $ ls contracts
# Migrations.sol Verifier.sol

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

...function verifyProof(uint[2] memory a,uint[2][2] memory b,uint[2] memory c,uint[4] memory input) public view returns (bool r) {Proof memory proof;proof.A = Pairing.G1Point(a[0], a[1]);proof.B = Pairing.G2Point([b[0][0], b[0][1]], [b[1][0], b[1][1]]);proof.C = Pairing.G1Point(c[0], c[1]);uint[] memory inputValues = new uint[](input.length);for(uint i = 0; i < input.length; i++){inputValues[i] = input[i];}if (verify(inputValues, proof) == 0) {return true;} else {return false;}}...

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

pragma solidity 0.5.11;import "./Verifier.sol";contract ZkIdentity is Verifier {address public owner;uint256[2][2] public publicKeys;constructor() public {owner = msg.sender;publicKeys = [[11588997684490517626294634429607198421449322964619894214090255452938985192043,15263799208273363060537485776371352256460743310329028590780329826273136298011],[3554016859368109379302439886604355056694273932204896584100714954675075151666,17802713187051641282792755605644920157679664448965917618898436110214540390950]];}function isInGroup(uint256[2] memory a,uint256[2][2] memory b,uint256[2] memory c,uint256[4] memory input // public inputs) public view returns (bool) {if (input[0] != publicKeys[0][0] &&input[1] != publicKeys[0][1] &&input[2] != publicKeys[1][0] &&input[3] != publicKeys[1][1]) {revert("Supplied public keys do not match contracts");}return verifyProof(a, b, c, input);}
}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

// Assuming below already exists
const provingKey // provingKey.json
const circuit // zero-knowledge circuit we wrote
const zkIdentityContract // Zk-Identity contract instanceconst privateKey  // Private key that corresponds to one of the public key in the smart contract
const publicKeys = [[11588997684490517626294634429607198421449322964619894214090255452938985192043n,15263799208273363060537485776371352256460743310329028590780329826273136298011n],[3554016859368109379302439886604355056694273932204896584100714954675075151666n,17802713187051641282792755605644920157679664448965917618898436110214540390950n]
]const circuitInputs = {privateKey,publicKeys
}const witness = circuit.calculateWitness(circuitInputs)
const proof = groth16GenProof(witness, provingKey)const isInGroup = zkIdentityContract.isInGroup(proof.a,proof.b,proof.c,witness.publicSignals
)