Non-interactive zero-knowledge proofs are
zero-knowledge proof
In cryptography, a zero-knowledge proof or zero-knowledge protocol is a method by which one party (the prover) can prove to another party (the verifier) that a given statement is true while the prover avoids conveying any additional information a ...
s where information between a prover and a verifier can be authenticated by the prover, without revealing any of the specific information beyond the validity of the transaction itself. This function of encryption makes direct communication between the prover and verifier unnecessary, effectively removing any intermediaries. The core trustless cryptography "proofing" involves a
hash function
A hash function is any function that can be used to map data of arbitrary size to fixed-size values. The values returned by a hash function are called ''hash values'', ''hash codes'', ''digests'', or simply ''hashes''. The values are usually u ...
generation of a random number, constrained within mathematical parameters (primarily to modulate hashing difficulties) determined by the prover and verifier.
With this cryptographic engine, the prover must demonstrate the validity of the transaction, by solving the hash of a random number. Finally, proof of the answer is returned to the verifier, without revealing its value.
There are many different methods for establishing a
cryptographic
Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or '' -logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adve ...
proof of hash validity. Perhaps the most notable method,
proof of work
Proof of work (PoW) is a form of Cryptography, cryptographic proof (truth), proof in which one party (the ''prover'') proves to others (the ''verifiers'') that a certain amount of a specific computational effort has been expended. Verifiers can s ...
, involves computing the proper hash value by means of brute force guessing using computational power. A far more scalable approach involves the more modern
proof of stake
Proof-of-stake (PoS) protocols are a class of consensus mechanisms for blockchains that work by selecting validators in proportion to their quantity of holdings in the associated cryptocurrency. This is done to avoid the computational cost of p ...
, which leverages the pooled public-key authenticity of blockchain
validator
A validator is a computer program used to check the validity or syntactical correctness of a fragment of code or document. The term is commonly used in the context of validating HTML,Tittel, Ed, and Mary C. Burmeister. HTML 4 for Dummies. --For d ...
networks.
History
Blum, Feldman, and
Micali[Manuel Blum, Paul Feldman, and Silvio Micali. Non-Interactive Zero-Knowledge and Its Applications. Proceedings of the twentieth annual ACM symposium on Theory of computing (STOC 1988). 103–112. 1988] showed in 1988 that a common reference string shared between the prover and the verifier is sufficient to achieve computational zero-knowledge without requiring interaction.
Goldreich and Oren
[Oded Goldreich and Yair Oren. Definitions and Properties of Zero-Knowledge Proof Systems. Journal of Cryptology. Vol 7(1). 1–32. 199]
(PS)
/ref> gave impossibility results for one shot zero-knowledge protocols in the standard model
The Standard Model of particle physics is the theory describing three of the four known fundamental forces (electromagnetism, electromagnetic, weak interaction, weak and strong interactions - excluding gravity) in the universe and classifying a ...
. In 2003, Shafi Goldwasser
en, Shafrira Goldwasser
, name = Shafi Goldwasser
, image = Shafi Goldwasser.JPG
, caption = Shafi Goldwasser in 2010
, birth_place = New York City, New York, U.S.
, birth_date =
, death_date ...
and Yael Tauman Kalai
Yael Tauman Kalai is a cryptographer and theoretical computer scientist who works as a Senior Principal Researcher at Microsoft Research New England and as an adjunct professor at MIT in the Computer Science and Artificial Intelligence Lab.
Edu ...
published an instance of an identification scheme for which any hash function will yield an insecure digital signature scheme.[Shafi Goldwasser and Yael Kalai. On the (In)security of the Fiat–Shamir Paradigm. Proceedings of the 44th Annual IEEE Symposium on Foundations of Computer Science (FOCS'03). 2003] These results are not contradictory, as the impossibility result of Goldreich and Oren does not hold in the common reference string model
Common may refer to:
Places
* Common, a townland in County Tyrone, Northern Ireland
* Boston Common, a central public park in Boston, Massachusetts
* Cambridge Common, common land area in Cambridge, Massachusetts
* Clapham Common, originally com ...
or the random oracle model
In cryptography, a random oracle is an oracle (a theoretical black box) that responds to every ''unique query'' with a (truly) random response chosen uniformly from its output domain. If a query is repeated, it responds the same way every time t ...
. Non-interactive zero-knowledge proofs however show a separation between the cryptographic tasks that can be achieved in the standard model and those that can be achieved in 'more powerful' extended models.
The model influences the properties that can be obtained from a zero-knowledge protocol. Pass showed that in the common reference string model non-interactive zero-knowledge protocols do not preserve all of the properties of interactive zero-knowledge protocols; e.g., they do not preserve deniability. Non-interactive zero-knowledge proofs can also be obtained in the random oracle model
In cryptography, a random oracle is an oracle (a theoretical black box) that responds to every ''unique query'' with a (truly) random response chosen uniformly from its output domain. If a query is repeated, it responds the same way every time t ...
using the Fiat–Shamir heuristic In cryptography, the Fiat–Shamir heuristic is a technique for taking an interactive proof of knowledge and creating a digital signature based on it. This way, some fact (for example, knowledge of a certain secret number) can be publicly proven wi ...
.
Blockchain Applications
In 2012, Alessandro Chiesa et al developed the zk-SNARK protocol, an acronym for ''zero-knowledge succinct non-interactive argument of knowledge''.blockchain
A blockchain is a type of distributed ledger technology (DLT) that consists of growing lists of records, called ''blocks'', that are securely linked together using cryptography. Each block contains a cryptographic hash of the previous block, a ...
protocol, where zero-knowledge cryptography provides the computational backbone, by facilitating mathematical proofs that one party has possession of certain information without revealing what that information is.Litecoin
Litecoin (Abbreviation: LTC; sign: Ł) is a decentralized peer-to-peer cryptocurrency and open-source software project released under the MIT/X11 license. Inspired by Bitcoin, Litecoin was among the earliest altcoins, starting in October 2011. ...
via extension blocks) and Monero cryptocurrency.
In 2018, the ''zk-STARK'' (zero-knowledge Scalable Transparent Argument of Knowledge) protocol was introduced,[Scalable, transparent, and post-quantum secure computational integrity, Ben-Sasson, Eli and Bentov, Iddo and Horesh, Yinon and Riabzev, Michael, 2018
] offering transparency (no trusted setup), quasi-linear proving time, and poly-logarithmic verification time.[{{cite web, title=Scalable, transparent, and post-quantum secure computational integrity , date=March 6, 2018 , authors=Eli Ben-Sasson, Iddo Bentov, Yinon Horesh, Michael Riabzev , publisher=]International Association for Cryptologic Research
International is an adjective (also used as a noun) meaning "between nations".
International may also refer to:
Music Albums
* ''International'' (Kevin Michael album), 2011
* ''International'' (New Order album), 2002
* ''International'' (The T ...
, url=https://eprint.iacr.org/2018/046.pdf , accessdate=October 24, 2021
Definition
Originally,
Pairing-based non-interactive proofs
Pairing-based cryptography Pairing-based cryptography is the use of a pairing between elements of two cryptographic groups to a third group with a mapping e :G_1 \times G_2 \to G_T to construct or analyze cryptographic systems.
Definition
The following definition is commonl ...
has led to several cryptographic advancements. One of these advancements is more powerful and more efficient non-interactive zero-knowledge proofs. The seminal idea was to hide the values for the pairing evaluation in a commitment. Using different commitment schemes, this idea was used to build zero-knowledge proof systems under the sub-group hiding The sub-group hiding assumption is a computational hardness assumption used in elliptic curve cryptography and pairing-based cryptography.
It was first introduced inDan Boneh, Eu-Jin Goh, Kobbi Nissim: Evaluating 2-DNF Formulas on Ciphertexts. TCC ...
[Jens Groth, Rafail Ostrovsky, Amit Sahai: Perfect Non-interactive Zero Knowledge for NP. EUROCRYPT 2006: 339–358] and under the decisional linear assumption The Decision Linear (DLIN) assumption is a computational hardness assumption used in elliptic curve cryptography. In particular, the DLIN assumption is useful in settings where the decisional Diffie–Hellman assumption does not hold (as is oft ...
.[Jens Groth, Rafail Ostrovsky, Amit Sahai: Non-interactive Zaps and New Techniques for NIZK. CRYPTO 2006: 97–111] These proof systems prove circuit satisfiability
In theoretical computer science, the circuit satisfiability problem (also known as CIRCUIT-SAT, CircuitSAT, CSAT, etc.) is the decision problem of determining whether a given Boolean circuit has an assignment of its inputs that makes the output tru ...
, and thus by the Cook–Levin theorem
In computational complexity theory, the Cook–Levin theorem, also known as Cook's theorem, states that the Boolean satisfiability problem is NP-complete. That is, it is in NP, and any problem in NP can be reduced in polynomial time by a determi ...
allow proving membership for every language in NP. The size of the common reference string and the proofs is relatively small; however, transforming a statement into a boolean circuit incurs considerable overhead.
Proof systems under the sub-group hiding The sub-group hiding assumption is a computational hardness assumption used in elliptic curve cryptography and pairing-based cryptography.
It was first introduced inDan Boneh, Eu-Jin Goh, Kobbi Nissim: Evaluating 2-DNF Formulas on Ciphertexts. TCC ...
, decisional linear assumption The Decision Linear (DLIN) assumption is a computational hardness assumption used in elliptic curve cryptography. In particular, the DLIN assumption is useful in settings where the decisional Diffie–Hellman assumption does not hold (as is oft ...
, and external Diffie–Hellman assumption that allow directly proving the pairing product equations that are common in pairing-based cryptography Pairing-based cryptography is the use of a pairing between elements of two cryptographic groups to a third group with a mapping e :G_1 \times G_2 \to G_T to construct or analyze cryptographic systems.
Definition
The following definition is commonl ...
have been proposed.
Under strong knowledge assumptions, it is known how to create sublinear-length computationally soundproof systems for NP-complete
In computational complexity theory, a problem is NP-complete when:
# it is a problem for which the correctness of each solution can be verified quickly (namely, in polynomial time) and a brute-force search algorithm can find a solution by tryi ...
languages. More precisely, the proof in such proof systems consists only of a small number of bilinear group elements.[Helger Lipmaa. Progression-Free Sets and Sublinear Pairing-Based Non-Interactive Zero-Knowledge Arguments. TCC 2012: 169–189]
References
Theory of cryptography