You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It appears to me that verification of a statement can be deferred to another party (assuming this 3rd party Verifier trusts that the original Verifier was honest).
Assume that the circuit $C$ is not known to $V$, and modify the protocol such that $V$ simply accepts blind commitments from $P$.
Step 4: $P$ sends a binding commitment to the correction bits $\delta_i$.
Step 5b: $P$ sends a binding commitment to the correction bits $d_i$
Step 7a: $V$ samples $\chi$ and sends it to $P$ as usual
Step 7b: $P$ computes $(U, V)$ as usual, and sends a binding commitment of it to $V$
Step 8a: $P$ sends a binding commitment to $m_h$
Now $P$ should be fully committed to the witness and statement, $V$ can sign all commitments, $\Delta$ and their input seed to the PCG $\rho$.
Later, $V_2$, knowing the circuit $C$, can receive the signed commitments including the decommitments from $P$ and non-interactively verify the proof themselves.
The motivation for the above is that $P$ can generate proofs without $V$ having to even know the statement. This is relevant in the TLSNotary protocol, where the Prover does not want to disclose anything to the Notary but it would be beneficial to commit to these proofs for disclosure to another party later. Pretty rad that these proofs would be non-interactive!
The text was updated successfully, but these errors were encountered:
I'm still working on grokking these newer VOLE-based IZK protocols, but wanted to jot this down before I forget. No idea if it is sound.
In the Quicksilver paper:
It appears to me that verification of a statement can be deferred to another party (assuming this 3rd party Verifier trusts that the original Verifier was honest).
Assume that the circuit$C$ is not known to $V$ , and modify the protocol such that $V$ simply accepts blind commitments from $P$ .
Step 4:$P$ sends a binding commitment to the correction bits $\delta_i$ .$P$ sends a binding commitment to the correction bits $d_i$ $V$ samples $\chi$ and sends it to $P$ as usual$P$ computes $(U, V)$ as usual, and sends a binding commitment of it to $V$ $P$ sends a binding commitment to $m_h$
Step 5b:
Step 7a:
Step 7b:
Step 8a:
Now$P$ should be fully committed to the witness and statement, $V$ can sign all commitments, $\Delta$ and their input seed to the PCG $\rho$ .
Later,$V_2$ , knowing the circuit $C$ , can receive the signed commitments including the decommitments from $P$ and non-interactively verify the proof themselves.
The motivation for the above is that$P$ can generate proofs without $V$ having to even know the statement. This is relevant in the TLSNotary protocol, where the Prover does not want to disclose anything to the Notary but it would be beneficial to commit to these proofs for disclosure to another party later. Pretty rad that these proofs would be non-interactive!
The text was updated successfully, but these errors were encountered: