Zmix #12
Zmix #12
Conversation
brentzundel
requested review from
brentzundel,
danintel,
dcmiddle,
dhuseby,
dubovitskaya,
hartm,
lovesh,
mac-arrap,
manudrijvers and
vaporos
as code owners
Signed-off-by: Michael Lodder <[email protected]>
Signed-off-by: Manu Drijvers <[email protected]>
Signed-off-by: Franz-Stefan Preiss <[email protected]>
Signed-off-by: Manu Drijvers <[email protected]>
Signed-off-by: Brent <[email protected]>
Signed-off-by: Michael Lodder <[email protected]>
Signed-off-by: Brent <[email protected]>
Signed-off-by: Brent <[email protected]>
Signed-off-by: Michael Lodder <[email protected]>
Signed-off-by: Michael Lodder <[email protected]>
Signed-off-by: Brent <[email protected]>
Signed-off-by: Michael Lodder <[email protected]>
…ation - Also make some other minor adjustments/improvements Signed-off-by: Franz-Stefan Preiss <[email protected]>
Signed-off-by: Michael Lodder <[email protected]>
Signed-off-by: Michael Lodder <[email protected]>
Signed-off-by: Michael Lodder <[email protected]>
Signed-off-by: Michael Lodder <[email protected]>
Signed-off-by: Michael Lodder <[email protected]>
- Focus more on *how* all the parts fit together (based on *proof modules* and the generic concept of *statements*) rather than immediately discussion concrete statement types. Signed-off-by: Franz-Stefan Preiss <[email protected]>
|
|
||
| Zmix is a library for expressing, constructing, and verifying non-interactive | ||
| zero-knowledge proofs (ZKPs). A broad class of zero-knowledge proofs is | ||
| supported. Schnorr-type proofs are used for many parts and to glue pieces |
There was a problem hiding this comment.
Is the overall goal to create a proof over an aggregation of proofs?
If so does the reference to Schnorr here imply that there is a Schnorr proof that connects all the sub-proofs?
If so the Proof structure defined later may be missing the 'y' term (i.e. y = g^x) and also the proof orchestrator may need a concept of summing the individual witnesses into a single x such that the y could be created and have meaning.
There was a problem hiding this comment.
The idea is that you need to bind sub proofs together somehow. Schnorr is used for that.
An example is a selective disclosure proof and an interval proof. How are they bound? The answer is to use a Schnorr proof that shows message 5 in the disclosure proof is the same value used in the interval proof.
0000-zmix/README.md
Outdated
|
|
||
| ``` | ||
| pub struct ProofSpec { | ||
| message_count: usize, |
There was a problem hiding this comment.
If these messages are the individual witnesses then a name like witness_count might be more specific. Similarly for the other uses of message in this document with the exception of its use in the BBS example.
fwiw, libsnark refers to hidden and revealed terms collectively as inputs and then differentiates between primary inputs (public terms) and auxiliary inputs (witnesses / secret terms).
There was a problem hiding this comment.
@manudrijvers What do you think about using the same terminology as libsnark? I don't like the hiddenormessage name.
0000-zmix/README.md
Outdated
| challenge_hash: Vec<u8>, | ||
| ) -> Result<StatementProof, ZkLangError>; | ||
| fn recompute_hash_contribution( | ||
| challenge_hash: Vec<u8>, |
There was a problem hiding this comment.
How will recompute_hash_contribution use challenge_hash? Elsewhere challenge_hash is defined as the hash of the individual contributions. Maybe challenge_hash was meant to be the concatenation of these hashes? Or perhaps there needs to be a list of commitments and the elements of that list can be used to regenerate the challenges in conjunction with the witnesses and other terms?
There was a problem hiding this comment.
We need to clean this part. The idea is that each proof contributes to the challenge_hash. @manudrijvers what exactly is recompute_hash_contribution?
There was a problem hiding this comment.
One way to do Schnorr protocol is in which the verifier recompute the challenge and compares that (for equality) with the prover's claimed challenge. To recompute the challenge, the verifier recomputes the commitments and then hashes them at the end. HashContribution would be an abstraction over the commitment.
There was a problem hiding this comment.
A prover computes so-called t-values based on randomness, hashes t-values to form the "challenge hash" c, and uses that to compute s-values.
When verifying, given c and s-values, you can recompute the which t-values should go with that, and then check that if you hash those recomputed t-values, you indeed get the challenge hash c that was given to you. recompute_hash_contribution would do the recomputation of the t-values.
| /// * TODO: add further requirements | ||
| pub struct Witness { | ||
| messages: Vec<Vec<u8>>, | ||
| statement_witnesses: Vec<StatementWitness>, |
There was a problem hiding this comment.
What is the purpose of statement_witness (and the use of a struct) vs just having a witness list?
There was a problem hiding this comment.
Not sure I completely understand the question but let me try to clarify: We get a vector of witness information such that each piece of the witness information corresponds to one of the proof statements. It's a struct such that we can make it structured data, for example, a BBS signature BBS proof expects a BBS signature as a witness, so we use a StatementWitness struct rather than just bytes.
There was a problem hiding this comment.
Why both messages and statement_witnesses in Witness struct? What information is contained in messages that is not contained in statement_witnesses?
0000-zmix/README.md
Outdated
| zero-knowledge proofs. | ||
|
|
||
| To construct a proof, zmix requires a `ProofSpec s` and a `Witness w` | ||
| (which is a valid witness for `p`), and will output a `Proof p`. |
There was a problem hiding this comment.
Typo: "which is a valid witness for p" should be "which is a valid witness for s"
| Conceptually, the zmix library will offer the functions: | ||
|
|
||
| * `generate_proof(s: ProofSpec, w: Witness) -> Result<Proof, Error>` | ||
| * `verify_proof(p: Proof, s: ProofSpec) -> Result<(), Error>` |
There was a problem hiding this comment.
This function signature indicates that on failure there is error and success means no error which contradicts the statement given above "To verify a proof, zmix requires a ProofSpec s and a Proof p, and will output a boolean".
| The library will offer and support various types of statements, such as signatures and commitments. | ||
| To combine and connect all the statements (i.e., the proof's parts) contained in the proof specification, that is, glue all parts together into a single zero-knowledge proof, the library will use _Schnorr proofs_. | ||
|
|
||
| For generating a Schnorr proof that encompasses multiple statements, for each statement one requires a _hash contribution_ on the one hand, and a _proof contribution_ based on an aggregation of the hash contributions on the other hand. |
There was a problem hiding this comment.
"a proof contribution based on an aggregation of the hash contributions on the other hand" is incomplete. The proof contribution also involves the witness.
0000-zmix/README.md
Outdated
| fn get_hash_contribution( | ||
| statement: Statement, | ||
| witness: StatementWitness, | ||
| message_r_values: Vec<Vec<u8>>, |
There was a problem hiding this comment.
Assuming message_r_values are the blinding factors, why not rename message_r_values to something like that?
| messages: Vec<HiddenOrRevealedValue>, | ||
| }, | ||
| PedersenCommitment { | ||
| message_index: usize, |
There was a problem hiding this comment.
You are also proving the knowledge of randomness in the commitment so there should be a field for that.
| ### Statements | ||
|
|
||
| ```rust | ||
| pub enum Statement { |
There was a problem hiding this comment.
This enum should have variants for equality/inequality of witnesses across statements
There was a problem hiding this comment.
Better to generalize the relations as
- inequality with public value
- inequality among witness
- equality with public value (same as disclose)
- equality among witness
- greater than/less than with public value
- greater than/less than among witness
| /// * TODO: add further requirements | ||
| pub struct Witness { | ||
| messages: Vec<Vec<u8>>, | ||
| statement_witnesses: Vec<StatementWitness>, |
There was a problem hiding this comment.
Why both messages and statement_witnesses in Witness struct? What information is contained in messages that is not contained in statement_witnesses?
| pub enum Statement { | ||
| /// Boneh Boyen Shacham Signature | ||
| SignatureBBS { | ||
| pk: Vec<u8>, |
There was a problem hiding this comment.
Is the pk enough to identify which signature is being referred?
| ``` | ||
| pub struct ProofSpec { | ||
| message_count: usize, | ||
| statements: Vec<Statement>, |
There was a problem hiding this comment.
It is assumed there is a conjunction (AND) between statements but there can be a disjunction (OR) as well.
| ### Statements | ||
|
|
||
| ```rust | ||
| pub enum Statement { |
There was a problem hiding this comment.
Better to generalize the relations as
- inequality with public value
- inequality among witness
- equality with public value (same as disclose)
- equality among witness
- greater than/less than with public value
- greater than/less than among witness
| commitment: Vec<u8>, | ||
| params: PedersenCommitmentParams, | ||
| }, | ||
| IntervalBulletproof { |
There was a problem hiding this comment.
How do you know which signature is referred?
| }, | ||
| } | ||
|
|
||
| pub enum HiddenOrRevealedValue { |
| messages: Vec<HiddenOrRevealedValue>, | ||
| }, | ||
| /// Pointcheval Sanders Signature | ||
| SignaturePS { |
|
|
||
| ## Structures | ||
|
|
||
| ### Statements |
There was a problem hiding this comment.
There should be separation between instance data and relation. So organize instance data and make it identifiable and then state relations and refer instance data and witness with their corresponding identifiers.
Signed-off-by: lovesh <[email protected]>
Signed-off-by: lovesh <[email protected]>
|
I suggest we close this. |
7 participants
No description provided.