Zk-SNARK
   HOME

TheInfoList



OR:

Non-interactive zero-knowledge proofs are
zero-knowledge proof In cryptography, a zero-knowledge proof or zero-knowledge protocol is a method by which one party (the prover) can prove to another party (the verifier) that a given statement is true while the prover avoids conveying any additional information a ...
s where information between a prover and a verifier can be authenticated by the prover, without revealing any of the specific information beyond the validity of the transaction itself. This function of encryption makes direct communication between the prover and verifier unnecessary, effectively removing any intermediaries. The core trustless cryptography "proofing" involves a
hash function A hash function is any function that can be used to map data of arbitrary size to fixed-size values. The values returned by a hash function are called ''hash values'', ''hash codes'', ''digests'', or simply ''hashes''. The values are usually u ...
generation of a random number, constrained within mathematical parameters (primarily to modulate hashing difficulties) determined by the prover and verifier. With this cryptographic engine, the prover must demonstrate the validity of the transaction, by solving the hash of a random number. Finally, proof of the answer is returned to the verifier, without revealing its value. There are many different methods for establishing a
cryptographic Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or '' -logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adve ...
proof Proof most often refers to: * Proof (truth), argument or sufficient evidence for the truth of a proposition * Alcohol proof, a measure of an alcoholic drink's strength Proof may also refer to: Mathematics and formal logic * Formal proof, a con ...
of hash validity. Perhaps the most notable method,
proof of work Proof of work (PoW) is a form of Cryptography, cryptographic proof (truth), proof in which one party (the ''prover'') proves to others (the ''verifiers'') that a certain amount of a specific computational effort has been expended. Verifiers can s ...
, involves computing the proper hash value by means of brute force guessing using computational power. A far more scalable approach involves the more modern
proof of stake Proof-of-stake (PoS) protocols are a class of consensus mechanisms for blockchains that work by selecting validators in proportion to their quantity of holdings in the associated cryptocurrency. This is done to avoid the computational cost of p ...
, which leverages the pooled public-key authenticity of blockchain
validator A validator is a computer program used to check the validity or syntactical correctness of a fragment of code or document. The term is commonly used in the context of validating HTML,Tittel, Ed, and Mary C. Burmeister. HTML 4 for Dummies. --For du ...
networks.


History

Blum, Feldman, and MicaliManuel Blum, Paul Feldman, and Silvio Micali. Non-Interactive Zero-Knowledge and Its Applications. Proceedings of the twentieth annual ACM symposium on Theory of computing (STOC 1988). 103–112. 1988 showed in 1988 that a common reference string shared between the prover and the verifier is sufficient to achieve computational zero-knowledge without requiring interaction. Goldreich and OrenOded Goldreich and Yair Oren. Definitions and Properties of Zero-Knowledge Proof Systems. Journal of Cryptology. Vol 7(1). 1–32. 199
(PS)
/ref> gave impossibility results for one shot zero-knowledge protocols in the
standard model The Standard Model of particle physics is the theory describing three of the four known fundamental forces (electromagnetism, electromagnetic, weak interaction, weak and strong interactions - excluding gravity) in the universe and classifying a ...
. In 2003,
Shafi Goldwasser en, Shafrira Goldwasser , name = Shafi Goldwasser , image = Shafi Goldwasser.JPG , caption = Shafi Goldwasser in 2010 , birth_place = New York City, New York, U.S. , birth_date = , death_date ...
and
Yael Tauman Kalai Yael Tauman Kalai is a cryptographer and theoretical computer scientist who works as a Senior Principal Researcher at Microsoft Research New England and as an adjunct professor at MIT in the Computer Science and Artificial Intelligence Lab. Edu ...
published an instance of an identification scheme for which any hash function will yield an insecure digital signature scheme.Shafi Goldwasser and Yael Kalai. On the (In)security of the Fiat–Shamir Paradigm. Proceedings of the 44th Annual IEEE Symposium on Foundations of Computer Science (FOCS'03). 2003 These results are not contradictory, as the impossibility result of Goldreich and Oren does not hold in the
common reference string model Common may refer to: Places * Common, a townland in County Tyrone, Northern Ireland * Boston Common, a central public park in Boston, Massachusetts * Cambridge Common, common land area in Cambridge, Massachusetts * Clapham Common, originally com ...
or the
random oracle model In cryptography, a random oracle is an oracle (a theoretical black box) that responds to every ''unique query'' with a (truly) random response chosen uniformly from its output domain. If a query is repeated, it responds the same way every time t ...
. Non-interactive zero-knowledge proofs however show a separation between the cryptographic tasks that can be achieved in the standard model and those that can be achieved in 'more powerful' extended models. The model influences the properties that can be obtained from a zero-knowledge protocol. Pass showed that in the common reference string model non-interactive zero-knowledge protocols do not preserve all of the properties of interactive zero-knowledge protocols; e.g., they do not preserve deniability. Non-interactive zero-knowledge proofs can also be obtained in the
random oracle model In cryptography, a random oracle is an oracle (a theoretical black box) that responds to every ''unique query'' with a (truly) random response chosen uniformly from its output domain. If a query is repeated, it responds the same way every time t ...
using the
Fiat–Shamir heuristic In cryptography, the Fiat–Shamir heuristic is a technique for taking an interactive proof of knowledge and creating a digital signature based on it. This way, some fact (for example, knowledge of a certain secret number) can be publicly proven wi ...
.


Blockchain Applications

In 2012, Alessandro Chiesa et al developed the zk-SNARK protocol, an acronym for ''zero-knowledge succinct non-interactive argument of knowledge''. The first widespread application of zk-SNARKs was in the Zerocash
blockchain A blockchain is a type of distributed ledger technology (DLT) that consists of growing lists of records, called ''blocks'', that are securely linked together using cryptography. Each block contains a cryptographic hash of the previous block, a ...
protocol, where zero-knowledge cryptography provides the computational backbone, by facilitating mathematical proofs that one party has possession of certain information without revealing what that information is. Zcash utilized zk-SNARKs to facilitate four distinct transaction types: private, shielding, deshielding, and public. This protocol allowed users to determine how much data was shared with the public ledger for each transaction. In 2017, ''Bulletproofs'' was released, which enable proving that a committed value is in a range using a logarithmic (in the bit length of the range) number of field and group elements. Bulletproofs was later implemented into Mimblewimble protocol (the basis for Grin and Beam, and
Litecoin Litecoin (Abbreviation: LTC; sign: Ł) is a decentralized peer-to-peer cryptocurrency and open-source software project released under the MIT/X11 license. Inspired by Bitcoin, Litecoin was among the earliest altcoins, starting in October 2011. ...
via extension blocks) and Monero cryptocurrency. In 2018, the ''zk-STARK'' (zero-knowledge Scalable Transparent Argument of Knowledge) protocol was introduced,Scalable, transparent, and post-quantum secure computational integrity, Ben-Sasson, Eli and Bentov, Iddo and Horesh, Yinon and Riabzev, Michael, 2018 offering transparency (no trusted setup), quasi-linear proving time, and poly-logarithmic verification time.{{cite web, title=Scalable, transparent, and post-quantum secure computational integrity , date=March 6, 2018 , authors=Eli Ben-Sasson, Iddo Bentov, Yinon Horesh, Michael Riabzev , publisher=
International Association for Cryptologic Research International is an adjective (also used as a noun) meaning "between nations". International may also refer to: Music Albums * ''International'' (Kevin Michael album), 2011 * ''International'' (New Order album), 2002 * ''International'' (The T ...
, url=https://eprint.iacr.org/2018/046.pdf , accessdate=October 24, 2021


Definition

Originally, non-interactive zero-knowledge was only defined as a single theorem-proof system. In such a system each proof requires its own fresh common reference string. A common reference string in general is not a random string. It may, for instance, consist of randomly chosen group elements that all protocol parties use. Although the group elements are random, the reference string is not as it contains a certain structure (e.g., group elements) that is distinguishable from randomness. Subsequently, Feige, Lapidot, and Shamir introduced multi-theorem zero-knowledge proofs as a more versatile notion for non-interactive zero-knowledge proofs.


Pairing-based non-interactive proofs

Pairing-based cryptography Pairing-based cryptography is the use of a pairing between elements of two cryptographic groups to a third group with a mapping e :G_1 \times G_2 \to G_T to construct or analyze cryptographic systems. Definition The following definition is commonly ...
has led to several cryptographic advancements. One of these advancements is more powerful and more efficient non-interactive zero-knowledge proofs. The seminal idea was to hide the values for the pairing evaluation in a commitment. Using different commitment schemes, this idea was used to build zero-knowledge proof systems under the
sub-group hiding The sub-group hiding assumption is a computational hardness assumption used in elliptic curve cryptography and pairing-based cryptography. It was first introduced inDan Boneh, Eu-Jin Goh, Kobbi Nissim: Evaluating 2-DNF Formulas on Ciphertexts. TCC ...
Jens Groth, Rafail Ostrovsky, Amit Sahai: Perfect Non-interactive Zero Knowledge for NP. EUROCRYPT 2006: 339–358 and under the
decisional linear assumption The Decision Linear (DLIN) assumption is a computational hardness assumption used in elliptic curve cryptography. In particular, the DLIN assumption is useful in settings where the decisional Diffie–Hellman assumption does not hold (as is oft ...
.Jens Groth, Rafail Ostrovsky, Amit Sahai: Non-interactive Zaps and New Techniques for NIZK. CRYPTO 2006: 97–111 These proof systems prove
circuit satisfiability In theoretical computer science, the circuit satisfiability problem (also known as CIRCUIT-SAT, CircuitSAT, CSAT, etc.) is the decision problem of determining whether a given Boolean circuit has an assignment of its inputs that makes the output tru ...
, and thus by the
Cook–Levin theorem In computational complexity theory, the Cook–Levin theorem, also known as Cook's theorem, states that the Boolean satisfiability problem is NP-complete. That is, it is in NP, and any problem in NP can be reduced in polynomial time by a determi ...
allow proving membership for every language in NP. The size of the common reference string and the proofs is relatively small; however, transforming a statement into a boolean circuit incurs considerable overhead. Proof systems under the
sub-group hiding The sub-group hiding assumption is a computational hardness assumption used in elliptic curve cryptography and pairing-based cryptography. It was first introduced inDan Boneh, Eu-Jin Goh, Kobbi Nissim: Evaluating 2-DNF Formulas on Ciphertexts. TCC ...
,
decisional linear assumption The Decision Linear (DLIN) assumption is a computational hardness assumption used in elliptic curve cryptography. In particular, the DLIN assumption is useful in settings where the decisional Diffie–Hellman assumption does not hold (as is oft ...
, and external Diffie–Hellman assumption that allow directly proving the pairing product equations that are common in
pairing-based cryptography Pairing-based cryptography is the use of a pairing between elements of two cryptographic groups to a third group with a mapping e :G_1 \times G_2 \to G_T to construct or analyze cryptographic systems. Definition The following definition is commonly ...
have been proposed. Under strong knowledge assumptions, it is known how to create sublinear-length computationally soundproof systems for
NP-complete In computational complexity theory, a problem is NP-complete when: # it is a problem for which the correctness of each solution can be verified quickly (namely, in polynomial time) and a brute-force search algorithm can find a solution by tryi ...
languages. More precisely, the proof in such proof systems consists only of a small number of bilinear group elements.Helger Lipmaa. Progression-Free Sets and Sublinear Pairing-Based Non-Interactive Zero-Knowledge Arguments. TCC 2012: 169–189


References

Theory of cryptography