"...We propose the first efficiently verifiable FHE scheme that allows for arbitrary depth homomorphic circuits by utilizing the double-CRT representation in which FHE schemes are typically computed, and using lattice-based SNARKs to prove components of this computation separately, including the maintenance operations. Therefore, our construction can theoretically handle bootstrapping operations. We also present the first implementation of a verifiable computation on encrypted data for a computation that contains multiple ciphertext-ciphertext multiplications. Concretely, we verify the homomorphic computation of an approximate neural network containing three layers and >100 ciphertexts in less than 1 second while maintaining reasonable prover costs."
Discussion
Yeah, I guessed you might be talking about FHE and similar stuff. But I wonder if the most basic concept still fits your description: just blind your witness and send that to the server. Then the server does the ZKP, so to speak "encrypted". This would only work directly for the simplest structures. Like a "reverse blinded signature" is the easiest one I could think of. Instead of blinding the message that the signer signs, you blind what key is being used to sign the (public) message. A signature is technically a ZKP (a zk-proof of knowledge). I have x, I give the server b+x, they sign with that: s' = k + e(b+x), I subtract eb to get s = k + ex. Notice that this is a weakness (arguably a fatal weakness) of non key-prefixed schnorr; it only works if you hash H(R,m) not H(P,R,m).
Yeah, a blind signature is a trivial case, but it seems that recent tech works scalably for more general ZK proofs
oh but of course; it's so....elementary 🙃