Skip to main content
Version: 1.0.1

Epoch Key Proof

Epoch key is computed by

identityNullifier + nonce,
]) % BigInt(2 ** epochTreeDepth)

The epoch key proof in UniRep is used to prove that

  1. The epoch key is in the epoch that user claims.
  2. The epoch key nonce is between 0 and numEpochKeyNoncePerEpoch - 1.
  3. The owner of the epoch key has registered in UniRep and has performed the user state transition in the latest epoch. In other words, the user has a leaf in the global state tree.

Public inputs

  • epoch: the claimed epoch that the epoch key is in

Public outputs

  • epoch_key: the claimed epoch key
  • GST_root: the global state tree root that the user has a leaf in

Private inputs

  • nonce: the nonce of epoch key. It should be in range [0, numEpochKeyNoncePerEpoch)
  • identity_nullifier: the identity that the Semaphore protocol uses, and it is also used to generate an epoch key.
  • identity_trapdoor: the identity trapdoor key that the Semaphore protocol uses. The hash output of identity_nullifier, and identity_trapdoor is the identity_commitment and it is used to generate a global state tree leaf by
const GST_leaf = hash(identity_commitment, UST_root)
  • user_tree_root: the user state tree root. It is used to compute the global state tree leaf
  • GST_path_index: the path index routes from leaf to root in the global state tree. It should be either 0 or 1 to indicate if the element is in the right sibling or the left sibling.
  • GST_path_elements: The sibling node that should be hashed with current path element to get the root.


1. Check if user exists in the Global State Tree

Check if hash(identity_commitment, UST_root) is one of the leaves in the global state tree of root GST_root.

2. Check nonce validity

Check if nonce < EPOCH_KEY_NUM_PER_EPOCH

3. Check epoch key is computed correctly

Check if epoch_key = hash2([identityNullifier + nonce, epoch]) % BigInt(2 ** epochTreeDepth)


See the whole circuit in circuits/verifyEpochKey.circom