- From: Mike Lodder <mike@sovrin.org>
- Date: Wed, 4 Sep 2019 15:13:49 -0600
- To: Stephen Curran <swcurran@cloudcompass.ca>
- Cc: Daniel Hardman <daniel.hardman@evernym.com>, Credentials Community Group <public-credentials@w3.org>
- Message-ID: <CAPhnkk6Uezg59cbUUiH=1S9ETEu=6Q=N_eQxnUWwe-W6KFkT1w@mail.gmail.com>
If the signature is disclosed, that also serves as a correlatable identifier. The main point of ZKPs is that they are meant to imply that only the proof information is disclosed and nothing else about the data used in the proof. Basically, if you prove your age is greater than 18 to me, I shouldn't be to learn anything else about your age from that one proof. That's the *zeroness *I believe Daniel is talking about and what is meant by the definition of a ZKP. I might ask you again if you are over 19 and if you respond yes, then I have learned a little more. ZKPs are like 20 questions. If I can ask enough questions about your age then I can figure out what its actual value is. But you don't have to answer all of my questions, but that is a side note. On Wed, Sep 4, 2019 at 3:08 PM Stephen Curran <swcurran@cloudcompass.ca> wrote: > Without knowing what the divergent uses of "ZKP" are I can't answer your > question. I'm not aware of them. > > The key element of your message is alluded to in the second last > paragraph, and I'm interested in what you mean by that and why it's > important. I'm pretty sure I know - the blinded link secret used in Indy's > ZKP implementation means that a correlatable identifier is not disclosed. > Evidently in other (claimed) ZKP schemes they are? Is that the point, or > am I missing it? > > On Wed, Sep 4, 2019 at 1:14 PM Daniel Hardman <daniel.hardman@evernym.com> > wrote: > >> I've had several interactions recently, including one just today at RWOT, >> that lead me to believe our community has divergent definitions of "ZKP" -- >> or at least we are applying "ZKP" in a credential context in fairly >> different ways. >> >> I won't argue the virtue or lack of virtue of ZKPs with credentials, and >> I'm also not trying to convince other ZKP proponents to adopt my >> definition, but I do want to at least formally share how Hyperledger/Sovrin >> uses that term, so we are not mischaracterized. If there are other ZKP >> voices in this group that want to chime in with their own definitions, that >> would be useful. >> >> In Hyperledger/Sovrin parlance, a ZKP is not a synonym for a presentation >> that involves predicates; nor is it a synonym for a presentation that uses >> CL signatures. Its defining characteristic--the "zeroness"--is how much >> extra knowledge is leaked. If you leak zero knowledge beyond what the proof >> request demands, then you have achieved zeroness. If you leak any knowledge >> other than what the proof request demands, you have not. This is in the >> spirit of the inventors of ZKPs, whose seminal paper says: >> >> Zero-knowledge proofs are defined as those proofs that convey no >> additional knowledge other than the correctness of the proposition in >> question. (S. GOLDWASSER, S. MICALI, AND C. RACKOFF, The knowledge >> complexity of interactive proof-systems, SIAM J. Comput., 18 (1989), pp. >> 186-208) >> >> Note that the wikipedia article on this topic, as well as many online >> tutorials, vary in whether they use this definition, or a narrower and more >> recently prominent one that suits their own contexts. Thus, not everything >> that you can read about ZKPs on StackOverflow or various crypto blogs is >> actually describing the same ZKP concept as Hyperledger/Sovrin. I'm not >> saying anybody is right or wrong--just pointing out differences. >> >> While it is true that Hyperledger/Sovrin implementations of ZKP >> credentials support predicates (aka "zero knowledge proof *of knowledge*"), >> I expect most ZKP-based presentations to disclose things as well ("zero >> knowledge proof of *<a value>*"). For example, if you intend to ask >> Alice to disclose her first name and city of residence, you can do this in >> a ZKP way. You don't do this via predicates; you actually say the >> machine-readable equivalent of "please prove the actual values of firstName >> and cityOfResidence". >> >> You might say, "Well, what's the difference between ZKPs and selective >> disclosure in that case? Why would you call that a ZKP?" And my answer >> would be: *the ZKP that discloses 2 attributes differs from the non-ZKP >> that discloses the same 2 attributes in whether a signature is disclosed.* >> A ZKP discloses 2 attributes and 0 signatures (even though the credential >> behind it has a signature over each individual attribute); a non-ZKP >> discloses 2 attributes and 1 signature (or 2 if it supports per-attribute >> signatures). >> >> I'm curious to know if I'm being pedantic and redundant here, or if I >> raised people's eyebrows. >> >> --Daniel >> >> > > -- > > Stephen Curran > Principal, Cloud Compass Computing, Inc. (C3I) > Technical Governance Board Member - Sovrin Foundation (sovrin.org) > > *Schedule a Meeting: **https://calendly.com/swcurran > <https://calendly.com/swcurran>* > -- Mike Lodder Security Maven
Received on Wednesday, 4 September 2019 21:14:23 UTC