Come teach a student how ZKP's work technically. Anybody else who wants to know, please come, and someone come teach us!

From IIW

Come Teach A Student How ZKP’s Work Technically. Anybody Else Who Wants To Know, Please Come, And Someone Come Teach Us!

Thursday 22F

Convener: Michael Black

Notes-taker(s): Michael Black

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Useful Slides: http://docs.google.com/presentation/d/1hGEpWIpl9hp8QoTIXjlozY7Gzy6zXY9lAL2x6U1b7Fk

Shoutout to Brent Zundel for teaching! Shoutout to Mike (malwhere) for the support!

Brief overview

an anonymous credential is a verifiable credential

Anything that isn't explicitly made public will not be disclosed on verification

A holder identifier can be used to bind to a holder but other methods can be used like a blinded secret

Anonymous vs. Verifiable

Anonymous is a verifiable credential but doesn't disclose values

Must be comfortable with exponents and modular arithmetic to understand ZKP technically

Prime field is a finite field that contains a prime number of elements

Diffie Hellman

Generate prime n

Pick a random 1 < g < n

Alice chooses random a

Alice computes:

Alice sends A, g, and n to Bob

Bob chooses random b

Bob computes

Bob sends B to Alice


Went over RSA

RSA

Things to remember g^x mod n

g is the generator and the holder knows but can't change x

ZK Protocol

verifier needs to know holder can't cheat

holder needs to know verifier can't discover secret

Both contribute to randomness

randomness is unique per transaction

NIZK

Prover convinces Verifier she knows x

Prover receives n, g, i, H

Prover

Generates: random r < n

Computes:

a test value:

a commitment to the secret:

a challenge hash:

a challenge value:

Sends: y, s, cH to Verifier

Important for verifier to pick a good hash function

That's where the probability comes in

Make a commitment to every single message (blind everything you are proving)

commitment ( g^x mod n )

blinded commitment ( g1^x * g2^r mod n )


A credential ({m}, A, e, v) consists of these values:

Attributes (integers): {m1, m2, …, mj}

Signature (integers) (A, e, v)

Issuer Private Key (p’, q’) where p = (2p’+1), q = (2q’+1), p*q = n

Issuer Public Key (n, S, Z, {R})

Modulus n

Random numbers S, Z < n

Random number {R1, R2 , … , Rj}


Sorry if the notes are hard to follow. Honestly the slides walk through all of this and is much more readable

recommend going through the math step by step to help learn Stepping through really helps understanding