All Questions
Tagged with zero-knowledge or zero-knowledge-proofs
1,194 questions
4 votes
0 answers
102 views
Hash function with lightweight ZKP of a preimage
For a standard hash function $H$ like SHA-256, one can choose a secret message $M$, compute and publish $h=H(M)$, then prove knowledge of the preimage $M$ in zero knowledge [that is without disclosing ...
- 151k
0 votes
1 answer
57 views
Why does the zero-knowledge property only require distribution of transcripts to be indistinguishable rather than requiring the order of messages?
I still do not understand the security model when proving the zero-knowledge property. Take the Sigma protocol as an example: In the book Proofs, Arguments, and Zero-Knowledge (Section 12.2.1), the ...
- 55
3 votes
1 answer
432 views
In Schnorr's protocol, why the form of response is `z=r+cx` instead of `z=cr+x`?
"In the third step of the Schnorr protocol, the prover's response takes the form $z=r+cx$. Why can't this form $z=cr+x$ work? I found these answers 1 and 2 are related to my questions However, ...
- 55
5 votes
1 answer
137 views
A lifestyle-based example of simulation-based security
The intuition behind simulation-based security proofs comes from the following idea — if any party participating in a protocol or system can fully simulate the entire interaction process without ...
- 321
1 vote
0 answers
80 views
Is the following scheme in zero knowledge?
I have a zero knowledge proof scheme for a blockchain and I don't know if it's truly in zero knowledge. It goes like this; I have two arrays of homomorphically encrypted values. I use homomorphic ...
- 385
1 vote
1 answer
78 views
Is it possible to find a ($2^n$)th root of unity in the scalar field of the Edwards curve on BLS12-377?
I'm trying to implement the Number Theoretic Transform with an elliptic curve for learning about SNARKs, and the curve I'm working with is an Edwards curve implemented on the scalar field of BLS12-377 ...
- 11
2 votes
0 answers
80 views
Twist and Shout
In the paper Twist and Shout, page 22, there is a reduction: from what I understand, because the following equation holds: $\mathsf{Val(k,j)} = \sum\limits_{j'<j}\mathsf{Inc}(k,j')\cdot \mathsf{LT}...
- 21
1 vote
0 answers
40 views
Proving coefficients of vector of polynomials are binary (LaBRADOR)
In LaBRADOR paper page 22, My understanding for binary coefficients check is that we want (as a first step) $\sum_{i,j}a_{i,j}(a_{i,j} -1) \equiv 0 \pmod q$, where $a_{i,j}$ is every coefficient of ...
- 11
1 vote
0 answers
50 views
Are there lattice-based or post-quantum secure constructions of updatable SNARKs?
Updatable SNARKs allow anyone to update the structured reference string (SRS), providing security as long as at least one party in the update chain is honest. However, all current known constructions ...
- 11
1 vote
0 answers
63 views
Concise set-theoretic proof of Schnorr Sigma protocol HVZK
I am trying to come up with a concise proof of HVZK for the Schnorr Sigma protocol. The real transcript and the simulator both output a $(t,z)$ such that $g^z=t\cdot h^c$ for a fixed public key $h$ ...
0 votes
1 answer
143 views
Is Sigma protocol a proof of knowledge or an argument?
As far as I know, the difference between proof system and argument system is whether the adversary is computationally unbounded. My question is, in the definition of special soundness in Sigma ...
- 135
1 vote
1 answer
89 views
Aggregation proof of multi-inner product arguments
I have $m$ inner product arguments to be proved, denoted by $<a_1,b_1>=c_1,\cdots,<a_m,b_m>=c_m.$ In order to reduce the proof size (also reduce verification efforts), I want to aggregate ...
- 11
0 votes
0 answers
44 views
Check equality of range proof subject
The prover has a secret scalar $s$, that needs to be encrypted for a receiver. But we also want to publicly verify that the secret is within a range (< 256). One scheme could be (quite possible ...
- 131
1 vote
1 answer
90 views
Forking lemma assumption for secure Schnorr ID protocol
While working through the proof of Theorem 19.1 in Boneh-Shoup (http://toc.cryptobook.us/book.pdf), I've run into an issue that I can't seem to figure out. The Theorem is to prove that Schnorr's ID ...
1 vote
2 answers
888 views
Looking for a distributed system where two people can prove they know the same secret
I'm new to learning about cryptography. I'd like to build a system for two people to reveal they know the same secret data, without revealing the secret to each other, or to anyone else. The idea is ...
- 11