Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Research VOLE IZK proof deferral #17

Open
sinui0 opened this issue Jun 12, 2023 · 0 comments
Open

Research VOLE IZK proof deferral #17

sinui0 opened this issue Jun 12, 2023 · 0 comments

Comments

@sinui0
Copy link
Collaborator

sinui0 commented Jun 12, 2023

I'm still working on grokking these newer VOLE-based IZK protocols, but wanted to jot this down before I forget. No idea if it is sound.

In the Quicksilver paper:

image

It appears to me that verification of a statement can be deferred to another party (assuming this 3rd party Verifier trusts that the original Verifier was honest).

Assume that the circuit $C$ is not known to $V$, and modify the protocol such that $V$ simply accepts blind commitments from $P$.

Step 4: $P$ sends a binding commitment to the correction bits $\delta_i$.
Step 5b: $P$ sends a binding commitment to the correction bits $d_i$
Step 7a: $V$ samples $\chi$ and sends it to $P$ as usual
Step 7b: $P$ computes $(U, V)$ as usual, and sends a binding commitment of it to $V$
Step 8a: $P$ sends a binding commitment to $m_h$

Now $P$ should be fully committed to the witness and statement, $V$ can sign all commitments, $\Delta$ and their input seed to the PCG $\rho$.

Later, $V_2$, knowing the circuit $C$, can receive the signed commitments including the decommitments from $P$ and non-interactively verify the proof themselves.

The motivation for the above is that $P$ can generate proofs without $V$ having to even know the statement. This is relevant in the TLSNotary protocol, where the Prover does not want to disclose anything to the Notary but it would be beneficial to commit to these proofs for disclosure to another party later. Pretty rad that these proofs would be non-interactive!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant