# Completeness Soundness Zero Knowledge

For all valid assertions, Verifier says "yes"

For all invalid assertions, Verifier says "no"

Verifier is convinced, but gains "zero knowledge"

# Completeness Soundness Zero Knowledge

For all valid assertions, Verifier says "yes"

For all invalid assertions, Verifier says "no"

( with a very high probability )

Verifier is convinced, but gains "zero knowledge"

# Discrete Logarithm Problem

ZkP \{(\color{red}a) : \color{blue}A = \color{blue}g^\color{red}a \}

$$\color{blue}g$$ is the generator of cyclic group $$\color{blue}G$$ of prime order $$\color{blue}p$$

$$\color{blue}A \in \color{blue}G$$ is an arbitrary group element having discrete logarithm $$\color{red}a = \log_\color{blue}g(\color{blue}A)$$

# Interactive Protocol

ZkP \{(\color{red}a) : \color{blue}A = \color{blue}g^\color{red}a \}
\begin{matrix} \text{Prover} && \text{Verifier} \\ \color{red}k \leftarrow \mathbb{Z}_\color{blue}p \\ \color{blue}r = \color{blue}g^\color{red}k & \longrightarrow & \\ \\ & \longleftarrow & \color{blue}e \leftarrow \mathbb{Z}_\color{blue}p \\ \\ \color{blue}s = \color{red}k + \color{red}a\color{blue}e & \longrightarrow & \text{accept if } \\ && \color{blue}r = \color{blue}g^\color{blue}s \times \color{blue}A^{-\color{blue}e} \end{matrix}

# Non Interactive Protocol

\begin{matrix} \text{Prover} && \text{Verifier} \\ \color{red}k \leftarrow \mathbb{Z}_\color{blue}p \\ \color{blue}r = \color{blue}g^\color{red}k \\ \color{blue}e \leftarrow \mathcal{H}(\color{blue}r) \\ \color{blue}s = \color{red}k + \color{red}a\color{blue}e & \longrightarrow & \text{accept if } \\ && \color{blue}r = \color{blue}g^\color{blue}s \times \color{blue}A^{-\color{blue}e} \end{matrix}

# 3 step process (NIP)

testNonInteractiveProof :: IO Bool
testNonInteractiveProof = do
let secret = 42
let a' = pointBaseMul secp256k1 secret

-- Prover
(r, k) <- commmitment

-- Prover
let e = oracle (show r)

-- Prover
let s = response k e secret

-- Verifer
pure (verify a' r e s)



# 3 step process (IP)

testInteractiveProof :: IO Bool
testInteractiveProof = do
let secret = 42
let a' = pointBaseMul secp256k1 secret

-- Prover
(r, k) <- commmitment

-- Verifier
e <- challange

-- Prover
let s = response k e secret

-- Verifer
pure (verify a' r e s)



\begin{matrix} \color{red}k \leftarrow \mathbb{Z}_\color{blue}p \\ \color{blue}r = \color{blue}g^\color{red}k \end{matrix}
commmitment :: MonadRandom m => m (Point, Integer)
commmitment = do
k <- generateBetween 0 p
pure (pointBaseMul secp256k1 k, k)
\text{Prover}
\color{blue}e \leftarrow \mathbb{Z}_\color{blue}p
challange :: MonadRandom m => m Integer
challange = generateBetween 0 p
\color{blue}s = \color{red}k + \color{red}a\color{blue}e
response :: Integer -> Integer -> Integer -> Integer
response k chal secret = (k + chal*secret)



\begin{matrix} \text{accept if } \\ \color{blue}r = \color{blue}g^\color{blue}s \times \color{blue}A^{\color{blue}e} \end{matrix}
verify :: Point -> Point -> Integer -> Integer -> Bool
verify a' r e s = lhs == rhs
where
lhs = pointBaseMul secp256k1 s
rhs = pointAdd secp256k1 r (pointMul secp256k1 e a')


\text{Verifier}

# Completeness

\begin{matrix} \text{accept if } \\ \color{blue}r & = & \color{blue}g^\color{blue}s \times \color{blue}A^{\color{blue}e} \\ \color{blue}r & = & \color{blue}g^{\color{red}k+\color{red}a\color{blue}e} \times ( \color{blue}g^\color{red}k)^{\color{blue}e} \\ \color{blue}r & = & \color{blue}g^{\color{red}k} \end{matrix}

# Not Optimal

testAndProof :: IO (Bool, Bool)
testAndProof= do
a <- testNonInteractiveProof
b <- testNonInteractiveProof
pure (a, b)



# Single commitment


testAndProof' :: IO Bool
testAndProof' = do

let secretA = 42
let a' = pointBaseMul secp256k1 secretA
let secretB = 43
let b' = pointBaseMul secp256k1 secretB

-- Prover
(r, k) <- commmitment

-- Prover
let e = oracle (show r)

-- Prover
let s = (response k e secretA) + e * secretB

-- Verifer
pure (verifyAnd a' b' r e s)

verifyAnd a' b' r e s = lhs == rhs
where
lhs = pointBaseMul secp256k1 s
a = pointMul secp256k1 e a'
b = pointMul secp256k1 e b'


# Title Text

testEqProof :: IO Bool
testEqProof = do

let secret = 42
let a' = pointBaseMul secp256k1 secret
let b' = pointBaseMul secp192r1 secret

-- Prover
k <- generateBetween 0 p
let rA = pointBaseMul secp256k1 k
let rB = pointBaseMul secp192r1 k

-- Prover
let e = oracle (show [rA,rB])

-- Prover
let s = (response k e secret)

-- Verifer
pure (verifyEq secp256k1 a' rA e s && verifyEq secp192r1 b' rB e s)
verifyEq :: Curve -> Point -> Point -> Integer -> Integer -> Bool
verifyEq curve a' r e s = lhs == rhs
where
lhs = pointBaseMul curve s
rhs = pointAdd curve r (pointMul curve e a')

By ..

• 512