13 breaking releases
0.14.0 | Sep 7, 2023 |
---|---|
0.13.0 | Jun 23, 2023 |
0.12.0 | Jun 23, 2023 |
0.10.0 | Mar 29, 2023 |
0.5.0 | Nov 5, 2021 |
#2364 in Magic Beans
531 downloads per month
Used in 7 crates
105KB
2K
SLoC
schnorr_pok
Schnorr protocol to prove knowledge of 1 or more discrete logs in zero knowledge. Refer this for more details of Schnorr protocol.
We outline the steps here for your convenience, and to make this documentation more succinct.
Prover wants to prove knowledge of x
in y = g * x
(y
and g
are public knowledge)
Step 1: Prover generates randomness r
, and sends t = g * r
to Verifier
Step 2: Verifier generates random challenge c
and send to Prover
Step 3: Prover produces s = r + x*c
, and sends s to Verifier
Step 4: Verifier checks that g * s = (y * c) + t
For proving knowledge of multiple messages like x_1
and x_2
in y = g_1*x_1 + g_2*x_2
:
Step 1: Prover generates randomness r_1
and r_2
, and sends t = g_1*r_1 + g_2*r_2
to Verifier
Step 2: Verifier generates random challenge c
and send to Prover
Step 3: Prover produces s_1 = r_1 + x_1*c
and s_2 = r_2 + x_2*c
, and sends s_1
and s_2
to Verifier
Step 4: Verifier checks that g_1*s_1 + g_2*s_2 = y*c + t
Above can be generalized to more than 2 x
s
There is another variant of Schnorr which gives shorter proof but is not implemented yet:
- Prover creates
r
and thenT = r * G
. - Prover computes challenge as
c = Hash(G||Y||T)
. - Prover creates response
s = r + c*x
and sendsc
ands
to the Verifier as proof. - Verifier creates
T'
asT' = s * G - c * Y
and computesc'
asc' = Hash(G||Y||T')
- Proof if valid if
c == c'
License: Apache-2.0
Dependencies
~5–16MB
~220K SLoC