|
|
@ -664,6 +664,8 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg |
|
|
|
\newcommand{\ZKSatisfying}{\mathsf{ZK.SatisfyingInputs}} |
|
|
|
\newcommand{\ZKProve}[1]{\mathsf{ZK.}\mathtt{Prove}_{#1}} |
|
|
|
\newcommand{\ZKVerify}[1]{\mathsf{ZK.}\mathtt{Verify}_{#1}} |
|
|
|
\newcommand{\Simulator}{\mathcal{S}} |
|
|
|
\newcommand{\Distinguisher}{\mathcal{D}} |
|
|
|
\newcommand{\JoinSplit}{\text{\footnotesize\texttt{JoinSplit}}} |
|
|
|
\newcommand{\ZKJoinSplit}{\mathsf{ZK}_{\JoinSplit}} |
|
|
|
\newcommand{\ZKJoinSplitVerify}{\ZKJoinSplit\mathsf{.Verify}} |
|
|
@ -673,6 +675,9 @@ electronic commerce and payment, financial privacy, proof of work, zero knowledg |
|
|
|
\newcommand{\JoinSplitProof}{\Proof_{\JoinSplit}} |
|
|
|
\newcommand{\zkproof}{\mathtt{zkproof}} |
|
|
|
\newcommand{\POUR}{\texttt{POUR}} |
|
|
|
\newcommand{\Prob}[2]{\mathrm{Pr}\scalebox{0.88}{\ensuremath{ |
|
|
|
\left[\!\!\begin{array}{c}#1\end{array} \middle| \begin{array}{l}#2\end{array}\!\!\right] |
|
|
|
}}} |
|
|
|
|
|
|
|
% JoinSplit |
|
|
|
\newcommand{\hSig}{\mathsf{h_{Sig}}} |
|
|
@ -1493,8 +1498,18 @@ a type of commitments $\CommitOutput$, and a type of \commitmentTrapdoors |
|
|
|
$\CommitTrapdoor$. |
|
|
|
|
|
|
|
Let $\Commit{} \typecolon \CommitTrapdoor \times \CommitInput \rightarrow \CommitOutput$ |
|
|
|
be a function satisfying the security requirements of computational hiding |
|
|
|
and computational binding, as defined in \todo{need reference}. |
|
|
|
be a function satisfying the security requirements below. |
|
|
|
|
|
|
|
\begin{securityrequirements} |
|
|
|
\item \textbf{Computational hiding:} For all $x, x' \typecolon \CommitInput$, |
|
|
|
the distributions $\{\; \Commit{r}(x) \;|\; r \leftarrowR \CommitTrapdoor \;\}$ |
|
|
|
and $\{\; \Commit{r}(x') \;|\; r \leftarrowR \CommitTrapdoor \;\}$ are |
|
|
|
computationally indistinguishable. |
|
|
|
\item \textbf{Computational binding:} It is infeasible to find |
|
|
|
$x, x' \typecolon \CommitInput$ and |
|
|
|
$r, r' \typecolon \CommitTrapdoor$ |
|
|
|
such that $x \neq x'$ and $\Commit{r}(x) = \Commit{r'}(x')$. |
|
|
|
\end{securityrequirements} |
|
|
|
|
|
|
|
|
|
|
|
\nsubsubsection{\ZeroKnowledgeProvingSystem} \label{abstractzk} |
|
|
@ -1533,19 +1548,44 @@ $x \typecolon \ZKPrimary$ and proof $\Proof \typecolon \ZKProof$ such that $\ZKV |
|
|
|
there is an efficient extractor $E_{\Adversary}$ such that if $E_{\Adversary}(\vk, \pk)$ |
|
|
|
returns $w$, then the probability that $(x, w) \not\in \ZKSatisfying$ is negligable. |
|
|
|
\item \textbf{Statistical Zero Knowledge:} An honestly generated proof is statistical |
|
|
|
zero knowledge. \todo{Full definition.} |
|
|
|
zero knowledge. That is, there is a feasible stateful simulator $\Simulator$ such that, |
|
|
|
for all stateful distinguishers $\Distinguisher$, the following two probabilities are |
|
|
|
negligibly close: |
|
|
|
\vspace{0.5ex} |
|
|
|
|
|
|
|
$\;\;\Prob{ |
|
|
|
(x, w) \in \ZKSatisfying \\ |
|
|
|
\Distinguisher(\Proof) = 1 |
|
|
|
}{ |
|
|
|
(\pk, \vk) \leftarrowR \ZKGen() \\ |
|
|
|
(x, w) \leftarrowR \Distinguisher(\pk, \vk) \\ |
|
|
|
\Proof \leftarrowR \ZKProve{\pk}(x, w) |
|
|
|
} |
|
|
|
\text{\; and \;} |
|
|
|
\Prob{ |
|
|
|
(x, w) \in \ZKSatisfying \\ |
|
|
|
\Distinguisher(\Proof) = 1 |
|
|
|
}{ |
|
|
|
(\pk, \vk) \leftarrowR \Simulator() \\ |
|
|
|
(x, w) \leftarrowR \Distinguisher(\pk, \vk) \\ |
|
|
|
\Proof \leftarrowR \Simulator(x) |
|
|
|
}$ |
|
|
|
\end{securityrequirements} |
|
|
|
|
|
|
|
These definitions are derived from those in \cite[Appendix C]{BCTV2014}, adapted to |
|
|
|
state concrete rather than asymptotic security. ($\ZKProve{}$ corresponds to $P$, |
|
|
|
$\ZKVerify{}$ corresponds to $V$, and $\ZKSatisfying$ corresponds to $\mathcal{R}_C$ |
|
|
|
in the notation of that appendix.) |
|
|
|
state concrete security for a fixed circuit, rather than asymptotic security for |
|
|
|
arbitrary circuits. ($\ZKProve{}$ corresponds to $P$, $\ZKVerify{}$ corresponds to $V$, |
|
|
|
and $\ZKSatisfying$ corresponds to $\mathcal{R}_C$ in the notation of that appendix.) |
|
|
|
|
|
|
|
The Proof of Knowledge definition is a way to formalize the property that it is |
|
|
|
infeasible to find a new proof $\Proof$ where $\ZKVerify{\vk}(x, \Proof) = 1$ without |
|
|
|
\emph{knowing} an \auxiliaryInput $w$ such that $(x, w) \in \ZKSatisfying$. |
|
|
|
(It is possible to replay proofs, but informally, a proof for a given $(x, w)$ gives |
|
|
|
no information that helps to find a proof for other $(x, w)$.) |
|
|
|
Note that Proof of Knowledge implies Soundness --- i.e.\ the property that it is |
|
|
|
infeasible to find a new proof $\Proof$ where $\ZKVerify{\vk}(x, \Proof) = 1$ without |
|
|
|
\emph{there existing} an \auxiliaryInput $w$ such that $(x, w) \in \ZKSatisfying$. |
|
|
|
|
|
|
|
It is possible to replay proofs, but informally, a proof for a given $(x, w)$ gives |
|
|
|
no information that helps to find a proof for other $(x, w)$. |
|
|
|
|
|
|
|
The \provingSystem is instantiated in \crossref{proofs}. |
|
|
|
$\ZKJoinSplit$ refers to this \provingSystem specialized to the \joinSplitStatement |
|
|
@ -4035,6 +4075,15 @@ The errors in the proof of Ledger Indistinguishability mentioned in |
|
|
|
\introlist |
|
|
|
\nsection{Change history} |
|
|
|
|
|
|
|
\subparagraph{2017.0-beta-2.2} |
|
|
|
|
|
|
|
\begin{itemize} |
|
|
|
\item Give definitions of computational binding and computational hiding |
|
|
|
for commitment schemes. |
|
|
|
\item Give a definition of statistical zero knowledge. |
|
|
|
\end{itemize} |
|
|
|
|
|
|
|
\introlist |
|
|
|
\subparagraph{2017.0-beta-2.1} |
|
|
|
|
|
|
|
\begin{itemize} |
|
|
|