Replying to kpr797

Maybe this is the part that scares people: a quote taken from page you shared above.

"Zero-knowledge proofs are not proofs in the mathematical sense of the term because there is some small probability, the soundness error, that a cheating prover will be able to convince the verifier of a false statement."

In other words, it is impossible to be 100% certain that nobody is cheating.
Avatar
Hanshan 10mo ago

i don't think so.

maybe informally zkp have this soundness error

but its my understanding that the Petersen commitments that Monero uses are perfectly binding.

another wiki page

https://en.m.wikipedia.org/wiki/Commitment_scheme

Reply to this note

Please Login to reply.

Discussion

Avatar
Hanshan 10mo ago

further Pedersen commitment learning 😂

these guys have a good cryptography blog

https://www.rareskills.io/post/pedersen-commitment

Avatar
Saberhagen The Nameless 10mo ago

PCs are perfectly hiding, but computationally binding, meaning a quantum adversay cannot break the hiding property(privacy), but can break the binding property(forge fake coins). AFAIK you can only have one or the other. El Gamal is the opposite.

Aside from a quantum adversary existing, it's still infeasible to break the binding property with PCs the same way it would be infeasible to figure out a Bitcoin private key from a public key

Here is another good write up by the grin community on PCs and commitment schemes:

https://docs.grin.mw/wiki/miscellaneous/switch-commitments/#properties-of-commitment-schemes