zk-SNARKs

A Non-interactive Zero-knowledge Proof

Outline

  • Recap
  • Non-interactive Zero-knowledge Proof
  • zk-SNARKs
    • Homomorphic Hiding
    • QAP (brief)
    • KCA (brief)
  • Reference

Recap

Zero-knowledge Proof

Prover

Verifier

the 1st block

Non-interactive Zero-knowledge Proof

Prover

Verifier

Where's Wally

???

zk-SNARKs

Features

  • non-interactive
    • less computation
  • tiny and easy to verify
    • keep Mina's blockchain light
    • keep personal data private

but I don't need to tell you where he is

my credit score is high enough to ...

but I don't need to tell you what my credit score exactly is

Goal - Blindness & Verifiable

Polynomial P(x)

Secret Point s

Verify P(s)

s

P(s)

P(x) = c_0 + c_1x + c_2x^2 + c_3x^3...

Concepts

Polynomial P(x)

Secret Point s

Verify P(s)

s

P(s)

P(x) = c_0 + c_1x + c_2x^2 + c_3x^3...

1. Homomorphic Hidings

2. QAP

3. KCA

Homomorphic Hidings

the most prominent

verify x + y = 7

x + y = 7

x, y

  • E(x) -x-> x
  • x != y then E(x) != E(y)
  • E(x+y) can be computed by E(x), E(y)
= g^x

verify x + y = 7

x + y = 7

x, y

verify x + y = 7

check E(x+y) ?= E(7)

x + y = 7

E(x), E(y)

So it is different from hash

E(x)

Secret Point s

Verify P(s)

Secret Point s

Verify P(s)

s

P(x) = c_0 + c_1x + c_2x^2 + c_3x^3...
E(s), E(s^2), E(s^3)...

E(P(x)) can be computed

E(x+y) can be computed by E(x), E(y)

QAP & KCA

brief

Secret Point s

Verify P(s) ?

Secret Point s

P(x) = c_0 + c_1x + c_2x^2 + c_3x^3...
E(s), E(s^2), E(s^3)...

QAP - the most complex

E(P(s))
E(P(s)) = H(s) * Z(s)
H(s)

Secret Point s

Verify P(s) ?

Secret Point s

P(x) = c_0 + c_1x + c_2x^2 + c_3x^3...
E(s), E(s^2), E(s^3)...

Problem: P'(x) & H'(x)

E(P'(s))
E(P'(s)) = H'(s) * Z(s)
H'(s)
(a, b), b = \alpha a

KCA - prevent P'(x) & H'(x)

  • alpha pair
  • alpha can't be computed by b/a
(c, d), c = \alpha d

how

(a, b), b = \alpha a

KCA - prevent P'(x) & H'(x)

  • alpha pair
  • alpha can't be computed by b/a
(\gamma a, \gamma b)

Secret Point s

Verify P(s)

Secret Point s

Verify P(s)

P(x) = c_0 + c_1x + c_2x^2 + c_3x^3...
E(s), E(s^2), E(s^3)...

KCA - prevent P'(x) & H'(x)

E(P(s)), E(\alpha P(s)), H(s)
E(P(s)) = H(s) * Z(s)
E(\alpha s), E(\alpha s^2), E(\alpha s^3)...

Summary

  • zk-SNARKs is non-interactive
  • Homomorphic Hidings for hiding secret point s
  • QAP for verifying P(x)
  • KCA for making sure that secret point s is used

Reference

zk-SNARKs

By hsutzu

Made with Slides.com

zk-SNARKs

  • 351

More from hsutzu