Zero-Knowlege Proof: Fiat-Shamir

Thanks a lot for providing valuable content which has just made me smarter

yayacamara

Let's say we want to build an application that helps us prove that we are a certain person (sth that will work as our personal ID or passport). How would we do that? You said that in order to register a user in this type of application we would have to use something strong like 2FA. How exactly would we register and use this ZKP scheme to identify as a specific person? Could you please elaborate a little bit in this kind of application for ZPK?

GajderStudio

Thanks for posting this video! It's a very clear and intuitive explanation. However, I am a bit confused about why this is "non interactive", since Victor had to send c to Peggy. Can you please clarify? Thanks!

kevinjue

If i want share bids and i want them to be secret and only the higiest bid is reveald in an MPC protocol how to do is fiat-shamir considered part of MPC protocol??

barax

So the key point is who generates the challenge value, am I right? Since the challenge is just a random value, in non-interactive ZKP, the prover can generate the challenge by himself as long as it is random and can be verified by the verifier.

soledadx

But in this approach, Victor knows Peggy's password right? if y = (g^x) % N, and (g, N) are known for both parties then. Victor knows Peggy's hashed secret.

vincentvalenzuela

What is "g" value at the beginning? Is it seed?

artjomzingfeld

1) How does this protect Peggy against brute-forcing when value of 'y' (=gx) is compromised?
The attacker can use the same GPU array to do brute-forcing when he gets the value of 'y'. Am I missing something?

2) Instead of sharing her password Peggy might get a salt from a server and compute hash(password+salt) on the client side which she sends to the server. If everything happens on the encrypted connection then I can't see how this scheme is worse compared to the described one.

nnslife

Thank you for sharing the information!

halitince