This is an implementation of "Boomerang", a novel decentralised privacy-preserving incentive protocol that leverages cryptographic black box accumulators to securely store user interactions within incentive systems. The protocol employs black-box accumulators, zero-knowledge proofs, the ACL signature scheme and Pedersen commitments for issuance, accumulation and redemption. In this way, systems can transparently compute rewards for users, ensuring verifiability while preserving their privacy.
In order to build, run either:
make
or
cargo build
To test:
cargo test --release
To benchmark:
cargo bench
To see the protocol in action, run the end2end example client and server programs in separate terminals (this will use the secp256k1 curve):
cargo run --example serverand then
cargo run --example clientThe implementation is broken down into a number of crates handling specific parts of the protocol, tests, and demonstration code.
boomerang: Overall protocol implementation with separate representations for the client and server sides. It implements the issuance, collection and spend-verify sub-protocols.pedersen: Commitment scheme after Pedersen, “Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing.” Advances in Cryptology CRYPTO ’91, LNCS 576, pp. 129-140, 1992. Based on code from the CDLS paper.acl: Anonymous Credentials Light blind signature system after Baldimtsi and Lysyanskaya, 2012.bulletproofs: Zero-knowledge proof scheme from Short proofs for Confidential Transactions, 2017. This implementation is derived from the one by dalek cryptography with some borrowing from the curve tree fork and Alex Ozdemir's arkworks version. Used under the MIT license.macros: Various utilities for generating test/bench/e2e boilerplate. Also from CDLS, but heavily modified.demo: A demo of the e2e functionality using secp256k1.t256andt384: Elliptic curve implementations of the "Thom" representation of NIST-256 and NIST-384 curves (see ZKAttest) using the arkworks framework. These are also from the CDLS library. This is only for testing and should not be used in the whole boomerang protocol.tsecp256k1andtsecq256k1; Elliptic curve implementations of secp256k1 and secq256k1 2-cycle curves using the arkworks framework. These are the curves used in Boomerang.