EMP-zk
June 11, 2026 · View on GitHub
Which version do I want?
- Existing projects pinned to a published release: stay on
v0.3.x—python3 install.py --tool=v0.3.x --ot=v0.3.x --zk=v0.3.xreproduces the prior emp-zk line. Bug fixes will be backported.- New projects, or willing to migrate: track
main— built against the C++20 BooleanContext line of emp-tool / emp-ot v1.0.emp-zk-boolis a nativeBooleanContext(ZKBoolContext) driven by an explicitZKBoolSessionhandle — no global backend; gadgets receive the session and circuit values areBit_T<ZKBoolContext>/Int_T<…>.emp-zk-arithstill keeps its ownZKFpExec::zk_execsingleton (staged).BaseCotandTwoKeyPRP(which moved out of emp-ot main) are vendored locally underemp-zk/emp-vole/, and theGaloisFieldPacking::base[]array that ram-zk indexes is provided by a smallramzk_gf_base()helper. The fullemp-zkumbrella (bool / arith / vole / ram / floats / lowmc) builds and tests pass end-to-end.
Protocols
The code in this repo implements a fast, scalable, communication-efficient zero-knowledge proof protocol for Boolean/arithmetic circuits and polynomials. The protocols are described in Wolverine, Quicksilver and Mystique.
Requirements
- CMake ≥ 3.21
- A C++20 compiler
- OpenSSL (≥ 1.1)
- emp-tool / emp-ot at the matching release line
Build and install
cmake -B build -DCMAKE_BUILD_TYPE=Release
cmake --build build -j
sudo cmake --install build # respects CMAKE_INSTALL_PREFIX
If emp-tool / emp-ot are in sibling source trees rather than installed, point CMake at their build directories:
cmake -B build -DCMAKE_BUILD_TYPE=Release \
-Demp-tool_DIR=/path/to/emp-tool/build \
-Demp-ot_DIR=/path/to/emp-ot/build
cmake --build build -j
Consuming from another CMake project
After cmake --install build:
find_package(emp-zk 1.0 REQUIRED)
target_link_libraries(my-app PRIVATE emp-zk::emp-zk)
The emp-zk::emp-zk target transitively pulls in emp-ot::emp-ot and
emp-tool::emp-tool.
Test
ctest --test-dir build --output-on-failure
Tests under test/bool/, test/arith/, test/vole/, and test/ram/
exercise every module end-to-end: Boolean / arithmetic ZK,
polynomial / inner-product proofs, SHA-256 + LowMC circuits, edabit
bool↔arith conversion, VOLE bootstrap (cope / lpn / base_svole /
vole_triple / vole_f2k_triple), and RAM ZK (read-only, read-write,
extended). Two-party tests are driven by the top-level ./run
wrapper (spawns party 1 then party 2 on localhost).
For a two-machine run: ./bin/test_bool_<name> 1 <port> on host A and
./bin/test_bool_<name> 2 <port> on host B; edit the test source if
the IP needs to be other than 127.0.0.1.
Performance
The test is done by two AWS EC2 m5.2xlarge servers with throttled network.
Throughput of circuit-based ZK protocol
All values are "million gates per second".
Boolean circuits
| Threads | 10 Mbps | 20 Mbps | 30 Mbps | 50 Mbps | Localhost |
|---|---|---|---|---|---|
| 1 | 5.1 | 7.8 | 8.6 | 8.6 | 8.6 |
| 2 | 6 | 10 | 12.9 | 14.3 | 13.6 |
| 3 | 6.3 | 10.9 | 14.5 | 17.3 | 18 |
| 4 | 6.4 | 11.4 | 15.1 | 19 | 19.4 |
Arithmetic circuits
| Threads | 100 Mbps | 500 Mbps | 1 Gbps | 2 Gbps | Localhost |
|---|---|---|---|---|---|
| 1 | 1.4 | 4.8 | 6.8 | 7.8 | 7.8 |
| 2 | 1.4 | 5.6 | 8.7 | 10.2 | 10.4 |
| 3 | 1.4 | 5.9 | 9.3 | 11.7 | 12.5 |
(Numbers measured on the v0.3.x line; main runs the same protocols,
so re-measured numbers should be in the same ballpark.)
Acknowledgement, Reference, and Questions
Please send email to Xiao Wang (wangxiao1254@gmail.com).
License
Licensed under the Apache License, Version 2.0 — see LICENSE.