Closed copumpkin closed 4 years ago
h4sh3d
commented
6 years ago I need to do more research to figure out how to create the proof zkp[it exists s: h = HASH(s) and a = XMRAddress(s)]. My first thought is to use zkSNARK, but I need to find a way to express the NP statement.
h4sh3d
commented
6 years ago I've updated the protocol but zero-knowledge proofs are the same. I started looking more in depth into Bulletproofs zkp, as zkSNARK they can prove arbitrary arithmetic circuits and so pre-image + range proofs. And that what is needed.
I'm interested especially in the Rust implementation by dalek-cryptography (https://github.com/dalek-cryptography/bulletproofs).
h4sh3d
commented
4 years ago As a recent research funding I had the possibility to work again on the protocol and after reading and discussing with the Monero Research Lab I discovered new techniques to achieve the same result without generic zero-knowledge proof circuits, the result is now merged on master if you want to have a look!
More will be published soon about the research results
When I raised the question on IRC, I was wondering specifically if folks had more thoughts on the
zkppart of your proposal. The usual bitcoin ZKCP example that gets thrown around is the pay-for-sudoku-solution and that was a nontrivial amount of work. I'm unclear of how much work this particular ZK proof would be. It seems like a fairly mechanical "shape" of proof, but I don't have a good sense for how much data would be involved.