ZKP学习笔记
ZK-Learning MOOC课程笔记
Lecture 11: From Practice to Theory (Guest Lecturer: Alex Lombardi)
11.4 Use CI to instantiate Fiat-Shamir
-
Avoid Bad Challenges
- Def: Given false claim x x x and a first message α \alpha α, a challenge β \beta β is “bad” if there exists a prover message g a m m a gamma gamma making V V V accept
- We want to say: if the (3 message) interactive protocol is sound, then (for all x x x, α \alpha α) most β \beta β are not bad. True for statistically sound IPs.
- Exactly what CI is good for! Define relation R x = α , β : β i s b a d R_x = {\alpha, \beta: \beta is bad} Rx=α,β:βisbad. Then if h h h is CI for R x R_x Rx (when x ∉ L x \notin L x∈/L), Π F S \Pi_{FS} ΠFS is sound using h h h!
- Protocols with more than 3 messages: round-by-round soundness (each round has a type of “bad challenge” to avoid).
- Main technical challenges:
- Sometimes our IP doesn’t have statistical soundness.
- We can only build CI for relations R R R that can be decided efficiently
-
Important example: SNARGs via IOPs (PCPs)
-
SNARGs from PCPs [Kilian, Micali]
- Candidate SNARG: apply Fiat-Shamir to this protocol!
- Simplified (less efficient) version of modern SNARKs you’ve learned about.
- Not statistically sound, so it’s not clear how to analyze FS without random oracles.
-
SNARGs for Batch NP
-
Interactive Batch Arguments from PCPs [CJJ21]
-
SSB Commitments
-
Interactive Batch Arguments from PCPs [CJJ21]
-
-
-
Summary of Fiat-Shamir without RO
- Use hash functions that are CI for appropriate functions/relations
- [CCHLRRW19,PS19,BKM20,JJ21,HLR21]
- Carefully show that FS-soundness for protocols of interest follows from compatible forms of CI
- [CCHLRRW19]: (non-succinct) NIZK
- [JKKZ21]: non-interactive sumcheck protocol
- [CJJ21]: batch NP arguments
- Open problems:
- Characterize which protocols can be FS-compiled (we know it doesn’t work in general [Bar01, GK03])
- SNARGs for NP from falsifiable assumptions?
- Use hash functions that are CI for appropriate functions/relations
