ZKP MOOC Lecture 1: Introduction and History of ZKP

Показать описание

Shafi Goldwasser, ZKP MOOC Spring '23

Berkeley RDI Center on Decentralization & AI

Рекомендации по теме

Комментарии

Thanks Prof. Goldwasser. The use of practical, visual examples and historical references to research progress in the field add a lot of value.

nicolasdecouttere

I believe there is typo on slide 19. The verification equation z^2 = sy^b (mod N) so if b = 1 then send z = r * sqrt (y) else send z = r (In the slides, it is other way round).

mukeshtiwari

Great lecture. It finally clicked for me after coming up with this general description of the interaction protocols:

The verifier asks the prover to perform task A or task B, but ahead of time the prover doesn't know which. If the prover _actually_ knows the secret, then it can always perform task A and B. But if the prover doesn't know the secret, then it can only "fake" one of the tasks. I.e. it can fake the correct answer for task A, but this means it doesn't have the answer for B (and vice versa). Assuming the verifier selects A or B at random, then a prover without the secret has a 50% chance of "faking" the wrong task, and therefore being unable to answer the verifier.

After 1 iteration there's a 50% chance the prover knew the secret and a 50% chance the prover faked it. After n iterations, there's a 1 - 1/2^n chance the prover knew the secret and a 1/2^n chance the prover faked it. The larger the n, the more convinced the verifier will be.

DaltonSweeney

gm. Always cool to hear ZKP explained by one of the inventors of ZKP

portport

On slide 58 (G3-Colorable) ZKIP protocol, why does verifier reject if the two adjacent vertices have different colors?

xinyuzhang

If the verifier can query the prover multiple times for each possibility of b and use all the responses together to determine the secret, how is it still zero knowledge?
In the QR example, V gains two answers for both b=0 and b=1, and used them to deduce r. Before interaction he couldn’t have done this computation.

By definition of zk, the computation after interaction cannot be same as the computation before interaction in this case.

I feel that I’m missing something important in my zk understanding.

anusha

ZKP MOOC Lecture 1: Introduction and History of ZKP

ZKP MOOC Lecture 1: Introduction and History of ZKP

ZKP MOOC Lecture 2: Overview of Modern SNARK Constructions

ZKP MOOC Lecture 14: ZKP Applications Overview & zkBridge

ZKP MOOC Lecture 3: Programming ZKPs

ZKP MOOC Lecture 16: Hardware Acceleration of ZKP

ZKP MOOC Lecture 4: Interactive Proofs

ZKP MOOC Lecture 14: ZKP Applications

Lecture A.1: Introduction to Interactive Proofs

How does PLONK work? Part 1: What's PLONK?

What Is Zero Knowledge Proof? (ZKP) - Explainer With Animation

From ZKP To ZK SNARKs section 1

ZKP Workshop Afternoon Session

ZK 101: Intro to Zero Knowledge Proof in Blockchain

Introduction to Zero Knowledge Proofs

ZKP MOOC Lecture 7: Polynomial Commitments based on Error-correcting Codes

ZKP Hackathon: Welcome & Overview Session

Using Zero to Attack Zero-Knowledge Proof (ZKP) PLONK

LegoSNARK: Modular Design and Composition of Succinct Zero Knowledge Proofs - Dario Fiore, IMDEA

Zero Knowledge Proofs simply explained

ZKP Workshop - Morning Session

ZKP MOOC Lecture 11: From Practice to Theory

ZKP MOOC Lecture 12: zkEVM Design, Optimization and Applications

ZKP in Healthcare

Introduction to Zero Knowledge Proofs (ZKP): PLONK | Proof phase | Round 1