Nostr Web Client

Curves that support bilinear pairings and extension fields. I looked into this a few years ago, but not sure I understand anymore.

waxwing 5mo ago 💬 2

Worth noting that, while a *lot* of ZKP constructions that are used in the real world, use pairings, they're not necessary. If you even understand just the Schnorr signature (or more basically, the Schnorr identity protocol), you already know the basic ideas behind ZK proofs (see: "Extractor" and "Simulator"). A Schnorr signature (if it uses pubkey prefixing) is technically a "zero knowledge proof of knowledge" of the private key). For the general case of "proving a statement in zero knowledge" you need a more general construction, which you can get from the Schnorr construct using "generalized sigma protocols". And you can even construct properly general zero knowledge proofs by a clever extension of that basic idea, see "Bulletproofs"; this does not use pairings but only the same ECDLP assumption that Schnorr itself uses.

And there are other possibilities, see "STARKs" which are actually just succinct proofs, not zero knowledge proofs, but they can be extended in to zkSTARKs. These just use hashes, not pairings or elliptic curves even.

Reply to this note

Please Login to reply.

Discussion

Tim Bouma 5mo ago

Love the explanation! Thank you. I had a feeling the ZKPs might be an unnecessary bolt-on for a lot of things. In the mainstream world, I get the sense they are a misdirection from some of the more fundamental problems that need to be solved.

waxwing 5mo ago

I think they're going to continue to be a very big deal. With the nuance that there are many situations where being actually zero knowledge isn't as important, just the succinctness matters. That you can verify correctness of execution of a million lines of code in milliseconds is pretty crazy and often useful.

average_bitcoiner 5mo ago

TIL zkSTARKs are hash based. Thank you for good keywords to dig into.