|
|
@ -516,7 +516,7 @@ |
|
|
|
\newcommand{\ZKVerifyingKey}{\mathsf{ZK.VerifyingKey}} |
|
|
|
\newcommand{\pk}{\mathsf{pk}} |
|
|
|
\newcommand{\vk}{\mathsf{vk}} |
|
|
|
\newcommand{\ZKParameterDistribution}{\mathsf{ZK.ParameterDistribution}} |
|
|
|
\newcommand{\ZKGen}{\mathsf{ZK.Gen}} |
|
|
|
\newcommand{\ZKProof}{\mathsf{ZK.Proof}} |
|
|
|
\newcommand{\ZKPrimary}{\mathsf{ZK.PrimaryInput}} |
|
|
|
\newcommand{\ZKAuxiliary}{\mathsf{ZK.AuxiliaryInput}} |
|
|
@ -1245,7 +1245,7 @@ be a function satisfying the security requirements of computational hiding |
|
|
|
and computational binding, as defined in \todo{need reference}. |
|
|
|
|
|
|
|
|
|
|
|
\nsubsubsection{\ZeroKnowledgeProvingSystem} |
|
|
|
\nsubsubsection{\ZeroKnowledgeProvingSystem} \label{abstractzk} |
|
|
|
|
|
|
|
A \zeroKnowledgeProvingSystem is a cryptographic protocol that allows |
|
|
|
proving a particular \statement, dependent on \primary and \auxiliaryInputs, |
|
|
@ -1258,17 +1258,18 @@ A \ppzkSNARK instance $\ZK$ defines: |
|
|
|
\begin{itemize} |
|
|
|
\item a type of \zkProvingKeys, $\ZKProvingKey$; |
|
|
|
\item a type of \zkVerifyingKeys, $\ZKVerifyingKey$; |
|
|
|
\item a probability distribution over $\ZKProvingKey \times \ZKVerifyingKey$ of parameters, $\ZKParameterDistribution$; |
|
|
|
\item a type of \primaryInputs $\ZKPrimary$; |
|
|
|
\item a type of \auxiliaryInputs $\ZKAuxiliary$; |
|
|
|
\item a type of proofs $\ZKProof$; |
|
|
|
\item a type $\ZKSatisfying \subseteq \ZKPrimary \times \ZKAuxiliary$ of inputs satisfying |
|
|
|
the \statement; |
|
|
|
\item a function $\ZKProve{} \typecolon \ZKProvingKey \times \ZKSatisfying \rightarrow \ZKProof$; |
|
|
|
\item a function $\ZKVerify{} \typecolon \ZKVerifyingKey \times \ZKPrimary \times \ZKProof \rightarrow \bit$; |
|
|
|
\item a randomized key pair generation algorithm $\ZKGen \typecolon () \rightarrowR \ZKProvingKey \times \ZKVerifyingKey$; |
|
|
|
\item a proving algorithm $\ZKProve{} \typecolon \ZKProvingKey \times \ZKSatisfying \rightarrow \ZKProof$; |
|
|
|
\item a verifying algorithm $\ZKVerify{} \typecolon \ZKVerifyingKey \times \ZKPrimary \times \ZKProof \rightarrow \bit$; |
|
|
|
\end{itemize} |
|
|
|
|
|
|
|
The security requirements below are supposed to hold with overwhelming |
|
|
|
probability for $(\pk, \vk)$ sampled at random from $\ZKParameterDistribution$. |
|
|
|
probability for $(\pk, \vk) \leftarrow \ZKGen()$. |
|
|
|
|
|
|
|
\begin{securityrequirements} |
|
|
|
\item \textbf{Completeness:} An honestly generated proof will convince a verifier: |
|
|
|