[Q&A] Zero-Knowledge Proofs
- How to explain ZK proofs to a 7 year old?
- Are there lower bounds on the size and interaction of a ZK proof with a given soundness error?
- Can we do zero-knowledge proofs for BPP statements? (short answer: just send the witness!)
- What is the difference between ZK proofs and ZK proofs of knowledge? (short answer: in ZK proof of knowledge, an extractor can recover the witness)
- Why is computational ZK the most general notion of zero-knowledge?
- How to choose the security parameter for a ZK proof?
- Are there lower bounds on the round complexity and communication of ZK proofs? (and also: how far are existing ZK proofs from these bounds)
- How do common reference strings help in ZK proofs? (short answer: they help reducing round complexity)
- What are the links between ZK proofs and homomorphic encryption? (short answer: there are many links.)
Understanding ZK proofs
- Why is “sending a hash of the witness” not a valid ZK proof of knowledge of the witness? (also includes a walkthrough of why Schnorr’s proof is a honest-verifier ZK proof)
- Why is the Diffie-Hellman key-exchange protocol not a proof of knowledge of a discrete logarithm? (also includes a discussion about knowledge-of-exponent assumptions, and public-coin versus private coin proofs)
Building ZK proofs
- How to prove that a committed value is the square of the other?
- How to prove that a committed number belongs to a certain range?
- What are the different techniques to build a range proof?
- Where did the four square decomposition technique originate?
- How to prove that a number is not within a range?
- How to prove knowledge of a witness for a DDH tuple?
- Is it possible to prove knowledge of an AES key without showing it? (short answer: yes)
- How to prove correctness of a long computation with a short proof?
- Can we replace pairings by homomorphic encryption in SNARGs/SNARKs? (short answer: yes, but it becomes designated-verifier)
- How to prove soundness of $\Sigma$-protocols in unknown-order groups?
- Is it possible to randomize a non-interactive ZK proof? (short answer: yes)
- What are the security issues of making ZK proofs non-interactive with Fiat-Shamir? (short answer: transferability, computational soundness)
- How to verify a signature on an encrypted message?
- Why is Schnorr’s proof not an argument? (short answer: recovering the discrete log in unbounded time does not contradict soundness)
- Why is a transparent setup desirable for SNARKs?
- Do NIZKs imply simulation-sound NIZKs? (short answer: yes)
- Are there post-quantum SNARGs?