Closed uvdsl closed 8 months ago
Hi.
I am wondering about the terminology of the witness and its "implementation".
The term "witness" is found in zero-knowledge proof literature to refer to the data known to prover (and not the verifier) and whose knowledge is being proven in the proof, see definition 19.2 and 19.3 here.
Is the witness the actual secret value, or is it some wrapper around it, e.g., a commitment (or rather, the value commited to and opening of said commitment)?
Its the actual secret value, the wrapper is just an abstraction. Regarding commitments, they are usually not the witness (unless the proof is about proving knowledge of a commitment and not just its opening), the opening (committed value and any randomness used) is the witness when the proof is for the knowledge of the opening.
This equality proof is done via Schnorr, as far as I understand, where we prove knowledge of the commited value (the witness?) and the opening for the commitment (also part of the witness then?) that is used in the particular other proofs (POKS, set membership, etc). What is part of the witness here?
The opening of the commitment is/includes the committed value and will be the witness. Eg. in a Pedersen commitment C = g * m + h * r
, g
and h
are public but m
and r
are the opening (m
and r
being the committed value and randomness respectively) and known only to the committer. When the committer proves knowledge of opening of C
, it proves that given public C
, g
, and h
, it knows m
and r
that satisfy C = g * m + h * r
.
In the case of POKS, the messages not being revealed and the signature are the "witness"
I feel that the term witness is used quite heterogeneously on the Web - and, FWIW, Rannenberg, Camenisch and Sabouri don't even mention that term in their work on Attribute-based Credentials for Trust.
Probably to avoid jargon :), and the book is about the application of ZKP. Have only read small part of it though.
Hope that helps.
Hi, thank you for the explanation! The terminology is much clearer to me now and the code (abstraction) also makes more sense. Thanks again!
You're welcome.
Hi :wave: I am still admiring your work!
I am wondering about the terminology of the
witness
and its "implementation".From the docs:
So:
And, for two statements (e.g. for POKS and set membership), the witnesses are distinct objects in code, but "reference" the same value. This equality of the witnesses is what we prove with witnessEquality in the metaStatements.
I feel that the term
witness
is used quite heterogeneously on the Web - and, FWIW, Rannenberg, Camenisch and Sabouri don't even mention that term in their work on Attribute-based Credentials for Trust. I'd appreciate if you could clarify your understanding of the termwitness
and how it relates to the composite proofs.Cheers Christoph