System invariants
An invariant is a property of a system which remains unmodified even after operations or transformations are applied to it. The authors of Semacaulk intend the following to be the invariants of Semacaulk:
-
Privacy: No-one but the user who knows the value of the identity nullifier and identity trapdoor behind an identity commitment may generate a valid proof of set membership of the identity commitment in the accumulator.
-
Safe NUMS value: No-one should be able to produce a valid proof of set membership for the default nothing-up-my-sleeve value.
-
Proof non-malleability: Proofs are visible once submitted to the mempool, but no-one should be able to modify an existing proof, change it such that it is associated with a different signal, and remain valid.
-
Zero-knowledge: given a valid proof, no-one should be able to determine the index of the identity commitment the identity nullifier, or the identity trapdor associated with the proof.
Other invariants which have to do with the internal consistency and correctness of the system are:
-
All identity commitments must be less than the BN254 scalar field size.
-
Every identity commitment in the accumulator must have been added at some point in the past, except for the NUMS values.
-
Any identity commitment besides the NUMS value may be added to the accumulator, unless it is full.
-
The NUMS value cannot be added to the accumulator.
-
There can be no valid proof associated with a NUMS value as the identity commitment.
-
All nullifier hashes must be less than the BN254 scalar field size.
-
It should only be possible to generate a proof for a valid user, and impossible to generate a proof for an invalid user.