Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [snarks]

SNARKS (short non-interactive arguments of knowledge) are space efficient zero-knowledge proof that do not require input from a verifier.

SNARKS are

  • Short (space-efficient)
  • Non-interactive (able to be produced by a prover communicating with a verifier)
  • ARguments of Knowledge (demonstrations of knowledge of a secret value that do not compromise that secret)
124 questions
10
votes
1 answer

Why invent new hash functions for zero-knowledge proofs?

Recently, new hash functions were invented. Their primary purpose is serving the needs of zero-knowledge proof systems. I'm talking about Poseidon-256, Starkad-256, etc. See the paper. What is the main advantage of those hash functions against…
Paul Miller
  • 340
  • 1
  • 12
8
votes
3 answers

Why it is said that “zk-SNARKs need a trusted setup” to work?

What is the meaning of a "trusted setup" in this context? It is often said all around that zk-STARKs and Bulletproofs does not require a trusted setup. How do zk-STARKs and Bulletproofs manage to avoid the need for a trusted setup?
Diving
  • 181
  • 1
  • 4
8
votes
2 answers

How to construct a circuit in zkSNARK

I have a few questions about how to use zk-snark. Since the basic logic of using zk-snark is: using a circuit to represent a problem, generate an R1CS from the circuit, transform R1CS to QAP and then we can run zk-snark For the first part, is…
Mkotori
  • 105
  • 1
  • 4
6
votes
1 answer

Which is the relation between Zero-Knowledge Proofs of Knowledge and circuits?

With the risen popularity of Zero-Knowledge Proofs of Knowledge (ZKPoKs) such as Pinocchio, Groth16 and Sonic, to name some ZKPoKs that are popularly known as zk-SNARKs, I got engaged to understand what is going on behind the hood on these…
Bean Guy
  • 772
  • 3
  • 11
6
votes
1 answer

CRS vs SRS in zk-SNARK

Are Common Reference String (CRS) and Structured Reference String (SRS) is the same in preprocessing phase of zk-SNARK? Is there any difference between them?
blockByblock
  • 269
  • 1
  • 9
6
votes
1 answer

Arithmetic Circuits to R1CS. Do we consider addition gates or not?

Here is Ariel Gabizon's Blog for the process of converting Arithmetic Circuits into R1CS - https://electriccoin.co/blog/snark-explain5/ Here, he writes We assume multiplication gates have exactly two input wires, which we call the left wire and…
user93353
  • 2,348
  • 3
  • 28
  • 49
4
votes
1 answer

Definition of Circuit Satisfiability In The Context of zk-SNARKs

A standard theorem is that boolean circuit satisfiability is NP-complete (shown in CLRS, for example). I am interested in what these statements formally mean. From CLRS, I can cite that $$\text{CIRCUIT-SAT} = \{C \mid \text{$C$ is a satisfiable…
cadaniluk
  • 229
  • 1
  • 4
4
votes
2 answers

Can zksnark prove DLP?

Can one use zksnark to prove the knowledge of a discrete logarithm? In another word, can zksnark (R1CS) encode exponentiation?
Sean
  • 93
  • 3
4
votes
1 answer

Why is the first coefficient set to 1 in both GGPR13 & Groth16 SNARKS?

From GGPR13 Section 7.1, Page 42 ($v_0(x) +\sum_{k=1}^m a_k \cdot v_k(x)) \cdot (w_0(x) +\sum_{k=1}^m a_k \cdot w_k(x)) - (y_0(x) +\sum_{k=1}^m a_k \cdot y_k(x))$ If you notice, the term $a_k$ is there only for $k = 1$ to $m$. The first terms…
user93353
  • 2,348
  • 3
  • 28
  • 49
4
votes
1 answer

Make sure of Quadratic Arithmetic Program validity

In the process of learning zk-SNARKs, I'm faced with this problem: I understand why if the prover sends a polynomial $P$ that can be divided by $T$, the target polynomial, the prover knows a valid assignment. But I don't understand how the verifier…
upavloff
  • 91
  • 5
4
votes
1 answer

Why does the challenge need to be prime in Wesolowski's succinct argument of $y=x^{e}$?

In Wesolowski's VDF (verifiable delay function) a prover produces a pair $(x, y)$ and needs to argue to the verifier that the pair satisfies $y = x^e \pmod N$ for some $e$ computable to both. The verifier is compute limited and $e$ is really large,…
MERTON
  • 225
  • 1
  • 6
4
votes
2 answers

What would be the degree (or range of the degree) of the polynomial used in real life zkSnarks as used in blockchains?

I am reading this explanation of zkSnarks written by Maksym Petkus - Why and How zk-SNARK Works They work through the concept of zkSnarks using a polynomial which the prover knows & he has to convince the verifier that he knows it. The verifier…
user93353
  • 2,348
  • 3
  • 28
  • 49
3
votes
0 answers

It is possible to verify the computation of a hash function without actually proving it in zero knowledge?

Let me first introduce the context: Let's say that we have a hash function evaluation: $$h = H(x, y),$$ where $x$ and $y$ are the public and the private input of the hash function $H$, respectively. Then, if I want to prove to someone that this…
Bean Guy
  • 772
  • 3
  • 11
3
votes
1 answer

IS zk-SNARK not suitable for constructing anonymous authentication scheme?

zk-SNARK was a powerful tool for privacy-respecting e-cash. However, recent years, in the literatures about anonymous authentication scheme, such as group signatures, anonymous credential, blind signature, etc., the construction of these schemes did…
X.H. Yue
  • 498
  • 3
  • 11
3
votes
1 answer

libsnark generator toxic waste

I'm looking through the test and examples of libsnark, let's take for example here: https://github.com/christianlundkvist/libsnark-tutorial/blob/master/src/test-gadget.cpp at line 19 there's: default_r1cs_ppzksnark_pp::init_public_params(); Is…
T. Rossi
  • 177
  • 4
1
2 3
8 9