Closed hndnklnc closed 1 year ago
AlistairStewart
commented
1 year ago Maybe some remarks why we define ZK only for Reprove? Does it cover ZK for Preprove as well?)
No, we have to run preprove and then reprove to get ZK at all. So we split the usual prove into preprove and reprove and can reuse the preproof part.
hndnklnc
commented
1 year ago Maybe some remarks why we define ZK only for Reprove? Does it cover ZK for Preprove as well?)
No, we have to run preprove and then reprove to get ZK at all. So we split the usual prove into preprove and reprove and can reuse the preproof part.
I don't think it is correct. We define zk for reprove for all verified X,pi,b not necessarily the output of PreProve.
AlistairStewart
commented
1 year ago Maybe some remarks why we define ZK only for Reprove? Does it cover ZK for Preprove as well?)
No, we have to run preprove and then reprove to get ZK at all. So we split the usual prove into preprove and reprove and can reuse the preproof part.
I don't think it is correct. We define zk for reprove for all verified X,pi,b not necessarily the output of PreProve.
Yes, the output of preprove is not necessarily ZK. You need to run preprove then reprove on its output to get a ZK proof.
AlistairStewart
commented
1 year ago We should say what is the difference from Groth16.Setup or it is the same. I think in general in SpecialG, you should tell which part is from Groth16 or Legosnark and where we change it while describing the algorithms. It will be much clear for the reader to verify. You have notes in the end but I think it is better to have it while describing since you can tell more right away from the algorithm than in the end of everything)
I agree that we should compare better with LegoGro16. The protocols are almost identical: The srs and verification steps are the same and preprove and reprove on the output if preprove is the same as their prove.
For the theorem 2 proof, we should also give intuition about this comparison. Our knowledge soundess is weaker than their knowldege soundess for cc-SNARKs with doublebinding as per their Definition 3.4 and our ZK property is new.
AlistairStewart
commented
1 year ago (It is a completeness definition for R2 but there is nothing related to R2 below. We want to define a new completeness def- inition for NIZKR. So, I suggest you to replace everything before given (|) with NIZKR.Ver((crsR, ( ̄y, ̄z), (π1, π2, X))) → 1 because everything you have before |are already satisfied from the NIZK completeness and ZKCont special complete- ness, so they are already satisfied, they are not new statements. )
Partly agree: I think we want the part before | to be of the form:
Two conditions about A's R_1 proof => NIZKR.Ver((crsR, ( ̄y, ̄z), (π1, π2, X))) → 1
The right hand side of the two implications we have and Verification for R_2 should be enough to imply NIZKR.Ver((crsR, ( ̄y, ̄z), (π1, π2, X))) → 1 , which is what completeness should be.
Then we can add intuition that a user can even run reprove on a proof from an untrusted prover rather than run preprove themselves and still obtain completeness.
hndnklnc
commented
1 year ago @InaOana a small correction that I realised now: I think v_i should be replaced by x_i in the algorithm SpecialG.Preprove
InaOana
commented
1 year ago @InaOana a small correction that I realised now: I think v_i should be replaced by x_i in the algorithm SpecialG.Preprove
Indeed, agreed. It makes sense. Thank you.
My replacement texts are in blue and my questions and comments are in pink in the pdf. ring_vrf.pdf