zlacker

[return to "Opening up ‘Zero-Knowledge Proof’ technology"]
1. bobbie+yc[view] [source] 2025-07-03 19:02:07
>>doomro+(OP)
Anyone have a good explanation on the intuition of non-interactive zero-knowledge proofs? For example, I thought the "paint-mixing" analogy for Diffie-Hellman key exchange (https://en.wikipedia.org/wiki/Diffie–Hellman_key_exchange#Ge...) really helped me handwave the math into "mixing easy, unmixing hard".

https://blog.cryptographyengineering.com/2014/11/27/zero-kno... was a good intro for interactive ZK proofs but I haven't been able to find something for non-interactive ones.

This blog post comparing ZK-STARKs to erasure coding is in the right flavor but didn't quite stick to my brain either: https://vitalik.eth.limo/general/2017/11/09/starks_part_1.ht...

◧◩
2. coldpi+1e[view] [source] 2025-07-03 19:09:58
>>bobbie+yc
Yeah I'm also interested in some of the details here, but the linked library repo is a bit too low-level for my current understanding.

For example, in the usecase of providing a proof-of-age to a website: who provides the verification data (the government?); what form does that take (a file in a standard format?); who holds/owns the verification data (the user?); who runs the verification software (the end-user's web browser?).

Can the user use any implementation to provide the proof, or must it be a "blessed" implementation such as Google Wallet?

◧◩◪
3. abhv+hf[view] [source] 2025-07-03 19:21:22
>>coldpi+1e
(1) in this case, an identity issuer provides the source of truth identity information. Examples include state DMV, your passport (you can try "Id pass" in Google wallet), etc.

(2) One of the goals of this project was to layer ZK on top of current identity standards that DMVs already issue, so that gov orgs don't have to change what they currently do to support the strongest user privacy. One example format is called Mdoc.

(3) The user holds the identity information on their device only. No other copies. The user's device makes the zkp proof on-device. This was one of the major technical challenges.

(4) The relying party (eg a website) runs the zk verification algorithm on the proof that is produced by the device to ensure soundness.

(5) Yes, the user can use any compatible implementation to produce the proof. We have open-sourced our implementation and we have a spec for the proof format that others can also reimplement.

◧◩◪◨
4. miki12+4p[view] [source] 2025-07-03 20:35:46
>>abhv+hf
If you can achieve RCE on the chip and run arbitrary code without invalidating signatures, does the protocol still stay secure?

If so, what's the point of requiring your implementation to run on a verified secure element? If not, the protocol seems only as strong as the weakest chip, as obtaining just a single private key from a single chip would let you generate arbitrary proofs.

◧◩◪◨⬒
5. Matteo+QC[view] [source] 2025-07-03 22:55:28
>>miki12+4p
The role of the secure element is only to "bind" the credential to the device, so that if you copy the credential somewhere else then the credential is useless. Concretely, the secure element produces a ECDSA signature that must be presented together with the credential. This is the normal protocol without ZKP. Concretely, the SE is in the phone, but could be a yubikey or something else.

The ZKP library does not run on the secure element. It runs on the normal CPU and produces a proof that the ECDSA signature from the SE is valid (and that the ECDSA signature from the issuer is valid, and that the credential has not expired, and ...) If you crack the ZKP library, all you are doing is producing an incorrect proof that will not verify.

◧◩◪◨⬒⬓
6. tzs+zJ[view] [source] 2025-07-04 00:24:30
>>Matteo+QC
Am I correctly understanding that I'd get the credential from say my state DMV once, and then later whenever I want to prove my age to a website the proof protocol is just between that website and my device? The DMV gets no information about what websites I use the DMV credential with and they get no information about when I use the credential even if the website and the DMV decide to cooperate? All they would be able to get was that at time T someone used a credential on the site that came from the DMV?

I tried to sketch out a design an age verification system, but it involved the DMV in each verification, which made timing attacks a problem. Briefly the website would issue a token, you'd get a blind signature of the token from the DMV's "this person is 18+" service, and return the token and unblinded signature to the website. I think that can be made to work but if the site and DMV cooperated they would likely be able to unmask many anonymous site users by comparing timing.

Getting the DMV out of the picture once your device is set up with the credential from them nicely eliminates that problem.

[go to top]