Closed uvdsl closed 1 year ago
Hi :wave: Thanks for reaching out.
From [1] I gather that everything is kinda glued together via Schnorr.
Correct.
Is there a formal description on how this works? I am really curious about this...
If you mean proofs, then no, don't have it for the exact combination (BBS+ & LegoGroth16) but the idea is that the snark proof contains a Pedersen commitment to the witness(s) . This witness (which is a BBS+ message) is also used in proof of knowledge of BBS+ signature, notice commitment d
in the section 4.5 of paper, so we prove that the witness used in both the Pedersen commitment from snark and d
is indeed the same.
Could not think of how to prove the usage of the witness from the BBS+ in the range proof
Yes, its possible. I did that in my own fork while I was contributing to ursa. See these 2 tests. The idea is the same with Bulletproofs as here also you have a commitment to the witness and you can prove equality of the witness with the message in d
in the BBS+ proof.
Would there be anything blocking the combination of the two from the get-go or could one "plug in" Bulletproofs
No blocker as evident from above.
Thank you for the quick reply!
If you mean proofs, then no, don't have it for the exact combination (BBS+ & LegoGroth16) but the idea is that the snark proof contains a Pedersen commitment to the witness(s) .
Yes, I was thinking about this - thanks for the hints! I will have a look at the math...
Yes, its possible. I did that in my own fork while I was contributing to ursa. See these 2 tests.
Cool! Was there a specific reason you went with LegoGroth16 instead of Bulletproofs then? I am not yet sure what the implications of the trusted setup are if the verifier is dishonest... (e.g. trying to figure out the witness ) I will have to double check that.
Was there a specific reason you went with LegoGroth16 instead of Bulletproofs then?
Faster verification.
I am not yet sure what the implications of the trusted setup are if the verifier is dishonest
A verifier who did the trusted setup cannot learn the witness but can only forge proofs, i.e. create a proof for a witness that does not satisfy the relation. In our case, the verifier has no incentive to do that.
Thanks alot!
Hi! :wave: Thank you for your great work! (Especially all the comments in the code!)
I was looking at how the composite proof system works, especially focusing on BBS+ with LegoGroth16. From [1] I gather that everything is kinda glued together via Schnorr. Is there a formal description on how this works? I am really curious about this...
I recently looked into combining BBS+ and Bulletproofs (with Hyperledger Ursa) but got stuck at exactly that point... Could not think of how to prove the usage of the witness from the BBS+ in the range proof (...still learning...). As a side question: Would there be anything blocking the combination of the two from the get-go or could one "plug in" Bulletproofs (to avoid the trusted setup) using the same approach to composite proofs (i.e. adding to this repo)?
Cheers Christoph
[1] https://github.com/docknetwork/crypto/blob/main/proof_system/src/sub_protocols/bound_check_legogroth16.rs