# Zero-knowledge proofs This document explains how to implement the zero-knowledge proofs function for compact public key encryption to verify the encryption process without revealing the encrypted information. **TFHE-rs** can generate zero-knowledge proofs to verify that the compact public key encryption process is correct. In other words, **TFHE-rs** generates the proof without revealing any information other than the already known range of the encrypted message. This technique is derived from [Libert’s work](https://eprint.iacr.org/2023/800). {% hint style="info" %} You can enable this feature using the flag: `--features=zk-pok` when building **TFHE-rs**. {% endhint %} {% hint style="info" %} For GPU-accelerated proof generation and verification, see [GPU ZK-PoKs](/tfhe-rs/hardware-acceleration/run-on-gpu/zk-pok.md). {% endhint %} To use this feature, you must first generate a **CRS** (Common Reference String). The CRS is a piece of cryptographic data that is necessary to ensure the security of zero-knowledge proofs. The CRS should be generated in advance and shared between all the clients and the server. A CRS can be reused for multiple encryptions with the same parameters. Once the CRS is generated, using zero-knowledge proofs is straightforward: during encryption, the client generates the proof, and the server validates it before performing any homomorphic computations. Note that you need to use dedicated parameters for the compact public key encryption. This helps to reduce the size of encrypted data and speed up the zero-knowledge proof computation. The following example shows how a client can encrypt and prove a ciphertext, and how a server can verify and compute the ciphertext: ```rust use rand::prelude::*; use tfhe::prelude::*; use tfhe::set_server_key; use tfhe::zk::{CompactPkeCrs, ZkComputeLoad}; pub fn main() -> Result<(), Box> { let mut rng = thread_rng(); let params = tfhe::shortint::parameters::PARAM_MESSAGE_2_CARRY_2_KS_PBS_TUNIFORM_2M128; // Indicate which parameters to use for the Compact Public Key encryption let cpk_params = tfhe::shortint::parameters::PARAM_PKE_MESSAGE_2_CARRY_2_KS_PBS_TUNIFORM_2M128; // And parameters allowing to keyswitch/cast to the computation parameters. let casting_params = tfhe::shortint::parameters::PARAM_KEYSWITCH_MESSAGE_2_CARRY_2_KS_PBS_TUNIFORM_2M128; // Enable the dedicated parameters on the config let config = tfhe::ConfigBuilder::with_custom_parameters(params) .use_dedicated_compact_public_key_parameters((cpk_params, casting_params)).build(); // The CRS should be generated in an offline phase then shared to all clients and the server let crs = CompactPkeCrs::from_config(config, 64).unwrap(); // Then use TFHE-rs as usual let client_key = tfhe::ClientKey::generate(config); let server_key = tfhe::ServerKey::new(&client_key); let public_key = tfhe::CompactPublicKey::try_new(&client_key).unwrap(); // This can be left empty, but if provided allows to tie the proof to arbitrary data let metadata = [b'T', b'F', b'H', b'E', b'-', b'r', b's']; let clear_a = rng.gen::(); let clear_b = rng.gen::(); let proven_compact_list = tfhe::ProvenCompactCiphertextList::builder(&public_key) .push(clear_a) .push(clear_b) .build_with_proof_packed(&crs, &metadata, ZkComputeLoad::Verify)?; // Server side let result = { set_server_key(server_key); // Verify the ciphertexts let expander = proven_compact_list.verify_and_expand(&crs, &public_key, &metadata)?; let a: tfhe::FheUint64 = expander.get(0)?.unwrap(); let b: tfhe::FheUint64 = expander.get(1)?.unwrap(); a + b }; // Back on the client side let a_plus_b: u64 = result.decrypt(&client_key); assert_eq!(a_plus_b, clear_a.wrapping_add(clear_b)); Ok(()) } ``` {% hint style="info" %} You can choose a more costly proof with `ZkComputeLoad::Proof`, which has a faster verification time. Alternatively, you can select `ZkComputeLoad::Verify` for a faster proof and slower verification. {% endhint %} ## Scheme version The ZK scheme used to generate and verify proofs is available in two versions: * ZKV1: This version is close to the original paper from [Libert](https://eprint.iacr.org/2023/800). * ZKV2: Differing from the paper, this version provides better performance for provers and verifiers. **TFHE-rs** selects automatically the scheme to use based on the encryption parameters during the CRS generation. With default parameters, ZKV2 is selected. The following example shows how to generate a CRS and proofs for ZKV1. Compared to the previous example, only the parameters are changed: ```rust use rand::prelude::*; use tfhe::prelude::*; use tfhe::set_server_key; use tfhe::zk::{CompactPkeCrs, ZkComputeLoad}; pub fn main() -> Result<(), Box> { let mut rng = thread_rng(); let params = tfhe::shortint::parameters::current_params::V1_6_PARAM_MESSAGE_2_CARRY_2_KS_PBS_TUNIFORM_2M128; // Indicate which parameters to use for the Compact Public Key encryption let cpk_params = tfhe::shortint::parameters::current_params::compact_public_key_only::p_fail_2_minus_128::ks_pbs::V1_6_PARAM_PKE_TO_SMALL_MESSAGE_2_CARRY_2_KS_PBS_TUNIFORM_2M128_ZKV1; // And parameters allowing to keyswitch/cast to the computation parameters. let casting_params = tfhe::shortint::parameters::current_params::key_switching::p_fail_2_minus_128::ks_pbs::V1_6_PARAM_KEYSWITCH_PKE_TO_SMALL_MESSAGE_2_CARRY_2_KS_PBS_TUNIFORM_2M128_ZKV1; // Enable the dedicated parameters on the config let config = tfhe::ConfigBuilder::with_custom_parameters(params) .use_dedicated_compact_public_key_parameters((cpk_params, casting_params)).build(); // The CRS should be generated in an offline phase then shared to all clients and the server let crs = CompactPkeCrs::from_config(config, 64).unwrap(); // Then use TFHE-rs as usual let client_key = tfhe::ClientKey::generate(config); let server_key = tfhe::ServerKey::new(&client_key); let public_key = tfhe::CompactPublicKey::try_new(&client_key).unwrap(); // This can be left empty, but if provided allows to tie the proof to arbitrary data let metadata = [b'T', b'F', b'H', b'E', b'-', b'r', b's']; let clear_a = rng.gen::(); let clear_b = rng.gen::(); let proven_compact_list = tfhe::ProvenCompactCiphertextList::builder(&public_key) .push(clear_a) .push(clear_b) .build_with_proof_packed(&crs, &metadata, ZkComputeLoad::Verify)?; // Server side let result = { set_server_key(server_key); // Verify the ciphertexts let expander = proven_compact_list.verify_and_expand(&crs, &public_key, &metadata)?; let a: tfhe::FheUint64 = expander.get(0)?.unwrap(); let b: tfhe::FheUint64 = expander.get(1)?.unwrap(); a + b }; // Back on the client side let a_plus_b: u64 = result.decrypt(&client_key); assert_eq!(a_plus_b, clear_a.wrapping_add(clear_b)); Ok(()) } ``` ## Usage in web browsers Zero-knowledge proof computation can be accelerated with parallelism in the browser using the WASM API. Two modes are available: * **Cross-origin isolated mode**: Uses `SharedArrayBuffer` with `initThreadPool`. Requires COOP/COEP headers. * **Cross-origin worker mode**: Uses a Service Worker–based worker pool. Works on any website without special headers. See the [JS on WASM API documentation](/tfhe-rs/integration/js-on-wasm-api.md) for setup instructions. ## Benchmark Please refer to the [Zero-knowledge proof benchmarks](/tfhe-rs/get-started/benchmarks/zk-proof-benchmarks.md) for detailed performance benchmark results. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.zama.org/tfhe-rs/fhe-computation/advanced-features/zk-pok.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.