Come teach a student how ZKP's work technically. Anybody else who wants to know, please come, and someone come teach us!
Come Teach A Student How ZKP’s Work Technically. Anybody Else Who Wants To Know, Please Come, And Someone Come Teach Us!
Thursday 22F
Convener: Michael Black
Notes-taker(s): Michael Black
Tags for the session - technology discussed/ideas considered:
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
Useful Slides: http://docs.google.com/presentation/d/1hGEpWIpl9hp8QoTIXjlozY7Gzy6zXY9lAL2x6U1b7Fk
Shoutout to Brent Zundel for teaching! Shoutout to Mike (malwhere) for the support!
Brief overview
an anonymous credential is a verifiable credential
Anything that isn't explicitly made public will not be disclosed on verification
A holder identifier can be used to bind to a holder but other methods can be used like a blinded secret
Anonymous vs. Verifiable
Anonymous is a verifiable credential but doesn't disclose values
Must be comfortable with exponents and modular arithmetic to understand ZKP technically
Prime field is a finite field that contains a prime number of elements
Diffie Hellman
Generate prime n
Pick a random 1 < g < n
Alice chooses random a
Alice computes:
Alice sends A, g, and n to Bob
Bob chooses random b
Bob computes
Bob sends B to Alice
Went over RSA
RSA
Things to remember g^x mod n
g is the generator and the holder knows but can't change x
ZK Protocol
verifier needs to know holder can't cheat
holder needs to know verifier can't discover secret
Both contribute to randomness
randomness is unique per transaction
NIZK
Prover convinces Verifier she knows x
Prover receives n, g, i, H
Prover
Generates: random r < n
Computes:
a test value:
a commitment to the secret:
a challenge hash:
a challenge value:
Sends: y, s, cH to Verifier
Important for verifier to pick a good hash function
That's where the probability comes in
Make a commitment to every single message (blind everything you are proving)
commitment ( g^x mod n )
blinded commitment ( g1^x * g2^r mod n )
A credential ({m}, A, e, v) consists of these values:
Attributes (integers): {m1, m2, …, mj}
Signature (integers) (A, e, v)
Issuer Private Key (p’, q’) where p = (2p’+1), q = (2q’+1), p*q = n
Issuer Public Key (n, S, Z, {R})
Modulus n
Random numbers S, Z < n
Random number {R1, R2 , … , Rj}
Sorry if the notes are hard to follow. Honestly the slides walk through all of this and is much more readable
recommend going through the math step by step to help learn Stepping through really helps understanding